Adobe issues emergency patch for Reader, Acrobat

Share this article:
Adobe on Thursday issued an emergency fix for Reader and Acrobat to address a "critical flaw," first disclosed at the Black Hat conference in Las Vegas, that could allow an attacker to compromise a user's system.

The updates, Adobe Reader and Acrobat versions 9.3.4 and 8.2.4, fix an integer overflow error in the way the PDF viewer parses fonts. The vulnerability could allow an attacker to execute arbitrary code on an affected system, according to Adobe's security bulletin.

The flaw was disclosed by Charlie Miller, principal security analyst at consulting firm Independent Security Evaluators, during a Black Hat presentation. The bug can be exploited by an attacker to corrupt memory via a specially crafted PDF file, according to an advisory from security firm Secunia.

The vulnerability affects Adobe Reader 9.3.3 and earlier versions for Windows, Macintosh and UNIX, along with Adobe Acrobat 9.3.3 and earlier versions for Windows and Macintosh.

Adobe was considering releasing the fix during its normal quarterly cycle in October, but decided otherwise, even though there are no reported exploits.

Additionally, six Flash Player vulnerabilities, listed as "critical," were fixed in the code included in Thursday's Reader and Acrobat updates. The vulnerabilities, which were fixed in Flash Player itself on Aug. 10, could be exploited by an attacker to crash the multimedia application or take control of a user's system.

Reader and Acrobat ship with Flash Player code, so typically when there is an update to Flash, Adobe needs to make the same updates to the code in Reader and Acrobat, a company spokeswoman told SCMagazineUS.com in an email Thursday.

Flash Player is not affected by vulnerabilities in Reader and Acrobat. Only Reader and Acrobat are affected by certain vulnerabilities in Flash Player, the spokeswoman said.

Adobe is scheduled to release the next quarterly security updates for Reader and Acrobat on Oct. 12.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Millenials improve security habits, more interested in cyber careers, still need guidance

Millenials improve security habits, more interested in cyber ...

Raytheon's second annual survey on the online and security behavior of Millennials shows improvement but still a long way to go.

Pakistani man indicted over spyware app creation

Hammad Akbar created StealthGenie, which allowed the purchaser to secretly monitor a cell phone's communications.

FDA finalizes guidelines on medical device, patient data security

The recommendations are aimed at providing better protecting patient health and data, as well as hoping device manufacturers take into account cybersecurity risks in the early stages of development.