Adobe released more than a dozen security patches that fix vulnerabilities in both Reader and Acrobat as part of the company’s regular quarterly update. Adobe also updated its list of trusted certificate authorities in the wake of the DigiNotar breach.
Adobe issued a total of 13 patches addressing critical security issues on Sept. 13. The flaws were identified in Adobe Reader X (10.1) and earlier versions for Windows and Macintosh, Adobe Reader 9.4.2 and earlier for UNIX and Acrobat X (10.1) for Windows and Macintosh, according to the the security bulletin. The vulnerabilities could cause the application to crash and potentially allow a remote attacker to take control of the system.
“The bad news is that most of them could result in the worst kind of security outcome – remote code execution,” said Andrew Storms, director of security at nCircle. The update was “a ‘classic’ Adobe patch” in that there was “very little information” about the bugs being fixed in the patch, Storms added.
All but one of the patches fixed flaws that could lead to code execution, including a security bypass bug, three heap overflows, a memory leakage condition, a use-after-free flaw, a logic error and a buffer overflow vulnerability. The remaining patch resolved a local privilege-escalation vulnerability that existed only in Adobe Reader X on Windows.
There were also fixes to the buffer overflow vulnerability in the U3D TIFF Resource, a heap overflow and three stack overflows in the image parsing library, and two stack overflows in the CoolType.dll library.
“Adobe categorizes these as critical updates and recommends that users apply the latest updates for their product installations,” the company wrote in the security bulletin.
While Adobe recommends users to update to the latest version of Adobe Reader X, 10.1.1, the company is also offering Adobe Reader 9.4.6 and Reader 8.3.1 for users “who cannot update to Adobe Reader X,” according to the advisory. Adobe Acrobat 9.4.6 and Acrobat 8.3.1 are also available for users who can’t run Adobe Acrobat X. However, Adobe is expected to end support for Adobe Reader 8.x and Acrobat 8.x for Windows and Macintosh on Nov. 3.
The quarterly updates also incorporated the Adobe Flash Player updates that were released Aug. 9. Adobe Reader 9.4.6 for UNIX is currently scheduled to be released Nov. 7, Adobe said.
Along with the quarterly updates, the company also published the updated Adobe Approved Trust List (AATL) to remove the DigiNotar Qualified CA certificate. Adobe Reader and Acrobat X dynamically manage the Trust List without requiring a full product update or patch, so the applications are fully protected from potential fraudulent certificates signed by the Dutch certificate authority.
Adobe Reader and Acrobat 9 require code changes to remove DigiNotar from the list of trusted certificate authorities, said Wiebke Lips, a spokesperson for Adobe. The update to Acrobat and Reader 9 will be delivered “in a future update,” Lips said. Until that time, users can manually remove DigiNotar from the applications.
While Mozilla, Microsoft, Google and Apple have already revoked the certificates, Adobe delayed doing so “at the explicit request of the Dutch government, while they explore the implications of this action and prepare their systems for the change,” Adobe said.
Adobe is expected to release the next quarterly security updates for Adobe Reader and Acrobat on Dec. 13.