Adobe patches eight more bugs

Adobe Systems has patched its Reader application for the fifth time this year, plugging eight security holes, including one that was reported to the company more than five months ago.

Share

Adobe Systems has patched its Reader application for the fifth time this year, plugging eight security holes, including one that was reported to the company more than five months ago.

In late May, researchers at Core Security Technologies told Adobe of a critical vulnerability in Adobe Reader and Adobe Acrobat, the free-of-charge and for-a-fee programmes, respectively, that handle PDF (Portable Document Format) files. The bug, which could be used by hackers to launch attack code against Windows, Mac or Linux computers, was found in older versions of the software.

Version 8.1.2 of Acrobat and Reader harbour the vulnerability, Core Security said in an advisory issued early Tuesday. Newer versions of the programs, Acrobat 9 and Reader 9, which were released in June, are immune.

Attackers could exploit the buffer overflow vulnerability with specially crafted PDF files, Core Security said.

Reader 8.1.2 was itself prompted by several bugs, some of which were actively exploited in the wild before Adobe could issue the update last February. In June, Adobe released a security update to 8.1.2 to plug yet another hole. That vulnerability had also been exploited by attackers before Adobe reacted.

At the time, a security expert blasted Adobe for what he called an "epidemic" of JavaScript bugs in Reader and Acrobat.

The flaw disclosed Tuesday by Core Security also involved JavaScript. "The vulnerability is caused due to a boundary error when parsing format strings containing a floating point specifier in the 'util.printf()' JavaScript function," said Core Security's advisory.

Core Security reported its findings to Adobe on 20 May, but two patch postponements delayed the coordinated release of security advisories until Tuesday.

Ironically, while Foxit was able to patch against its bug in less than a month, Adobe took more than five times longer to issue fixes for its Acrobat and Reader. Ivan Arce, Core Security's chief technology officer, declined to speculate about why Adobe took so long, other than to point out that Tuesday's update fixed eight flaws altogether.

Shortly after Core Security published its advisory, Adobe followed with its own. The advisory offered links to updates to Reader 8.1.3 and Acrobat 8.1.3, and included terse descriptions of the other seven vulnerabilities patched Tuesday, which included additional input validation bugs, a pair of flaws in Reader's download manager and a vulnerability that had been published publicly last May.

Adobe and Core said they had no reports of active attacks using any of the eight vulnerabilities.