Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Adobe belatedly pushed out critical updates for its frequently-attacked Reader and Acrobat PDF software packages on Tuesday.
Mac and Windows users of Adobe Reader XI (11.0.08) and earlier versions should update to version 11.0.09. Adobe Reader X (10.1.11) users who can't upgrade are being offered a patched version of the earlier release, version 10.1.12.
Users of Adobe Acrobat XI (11.0.08) and earlier versions should update to version 11.0.09.
Sysadmins should note that applying the patches will involve a system restart.
Adobe's advisory explains that the software patches eight vulnerabilities, five of which could lead to code execution. The remaining three bugs involve a sandbox bypass vulnerability, a crashing (denial of service) risk and a cross-site scripting flaw.
Put together, that's a nasty cocktail so it's no surprise that Adobe delayed Reader and Acrobat patches, original scheduled for 10 September, by seven days.
This didn't mean that the software developer was idle on Patch Tuesday, though. Instead it released a critical update for Adobe Flash (Windows and Macintosh), Flash browser plugins and a far less serious update for Adobe AIR Desktop, as explained in Adobe's advisory here.
Adobe's official explanation was that the Reader and Acrobat patches were "delayed to address issues identified during regression testing", implying that the original version of the patches introduced new faults.
"The [Reader and Acrobat] patches address all 8 vulnerabilities per operating system, so they are each described as priority 1, top patching concerns," commented Ross Barrett, senior manager of security engineering at Rapid7. "Though these are all high priority issues, the disclosure list suggests that they are not active in the wild, but given the nature of the disclosure, exploit or proof of concept code will likely become available in the near future.” ®