Feeds

Surprise Adobe update grapples with critical flaws

Reader, I pwned him

Combat fraud and increase customer satisfaction

Adobe published an out-of-sequence update for its Reader and Acrobat software packages on Tuesday that tackles a brace of serious flaws.

The cross-platform Reader and Acrobat update fixes a vulnerability in the domain sandbox of the PDF technology that opens the door to possible exploits, more specifically unauthorised cross-domain requests. In addition the update addresses a critical flaw that creates a mechanism for hackers to inject hostile code onto vulnerable systems.

Adobe advises users to upgrade to Acrobat version 9.3.1 and Reader version 9.3.1, as explained in a bulletin here. Last week Adobe updated its Flash software in a way that meant users had to uninstall the previous version in order to remove the threat from their systems.

The importance of the Reader update is underscored by the release of a survey by web security firm ScanSafe which reports 80 per cent of all web-based exploits it blocked in the last quarter of 2009 were PDF exploits

Recently Adobe promised to move onto a quarterly patching schedule for Reader updates, at least, in order to make life easier for sys admins. The latest patches fall outside this sequence and without a detailed explanation of what had been fixed, leaving some in the security community puzzling over the update.

Andrew Storms, director of security operations at network security firm nCircle, commented: "As of now, there are no known zero day exploits in the wild for the patched Acrobat bug, but Adobe's effort to update this patch critical vulnerability outside their normal patch cycle will undoubtedly draw lots of attention from attackers."

"Last week Adobe released a security update to Flash and today they released an Acrobat update that references last week's Flash update. Adobe's lack of detailed security bulletins on the situation is leaving us all scratching our heads and wishing we had more information." ®

SANS - Survey on application security programs

Whitepapers

Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.