Adobe Plans Fixes for Critical 3D Bugs in Reader, Acrobat X

Adobe will fix a slew of security flaws in Reader and Acrobat, including the critical 3D vulnerabilities that were discovered in December, as part of its quarterly update.

Adobe will release patches addressing several security issues in Adobe Reader and Acrobat as part of its scheduled quarterly update next week.

The updates will affect Adobe Reader and Acrobat versions X and earlier on both the Windows and Mac OS X platforms, Adobe said in its advance notification announcement on Jan. 6. Adobe is expected to make the patches live on Jan. 10, which is the same day Microsoft is scheduled to release seven bulletins as part of the January Patch Tuesday release.

The updates are considered "critical," according to the advisory. Administrators will have to keep in mind there are updates from Adobe, Oracle and Microsoft this month, Wolfgang Kandek, CTO of Qualys, told eWEEK. Oracle's quarterly update is Jan. 17, a week after Adobe and Microsoft issue their patches.

Adobe's quarterly updates will include fixes for two vulnerabilities that Adobe patched on Dec. 16 in the Windows versions of Acrobat and Reader 9 and earlier as part of an emergency update. "These updates will include fixes for CVE-2011-2462 and CVE-2011-4369, previously addressed in Adobe Reader and Acrobat 9.x for Windows as referenced in Security Bulletin APSB11-30," the company said in the advisory.

There have been reports that the memory corruption vulnerabilities in the U3D and PRC components could lead to code execution attacks that are being "actively exploited in limited, targeted attacks in the wild," Adobe had warned in the initial zero-day advisory.

Adobe decided to delay the fixes for Acrobat and Reader X as well as for the Mac versions to speed up the release of the out-of-band patch, Adobe had said at the time. "The reason for addressing this issue quickly for Adobe Reader and Acrobat 9.4.6 for Windows is simple: This is the version and platform currently being targeted," Brad Arkin, senior director of product security and privacy at Adobe, wrote on the Adobe Secure Software Engineering Team blog.

Security researchers later found several samples of attack documents masquerading as surveys and contracts that had been sent to defense contractors and partners.

Protected Mode in Reader X and Protected View in Acrobat X have managed to block unsafe documents from launching malicious code in several different attacks recently. Adobe has fixed each discovery, but has not had to roll out an emergency patch for those versions yet, thanks to the built-in sandbox capabilities.

An update to address these issues in Adobe Reader 9.x for Linux was planned for Jan. 10, but was not listed in the advance advisory. Adobe still plans to update the software on the same day, according to an Adobe spokesperson. The Linux version did not appear on the prenotification announcement because, in essence, the Linux update is an out-of-band patch and not part of the overall scheduled update. The company made the decision to update the Linux version only twice a year, as opposed to the quarterly updates for the Windows and Mac versions. The next scheduled update for the Linux version is actually in April, the spokesperson said.

The decision to update every other quarter reflects the absence of attack activity, Arkin wrote on the ASSET blog in June, when the change was made. "We have never seen or heard of reports of a real-world malware sample that was functional or targeted against Adobe Reader for Linux," Arkin said.