Adobe issues emergency patch for Reader, Acrobat

Share this article:
Adobe on Thursday issued an emergency fix for Reader and Acrobat to address a "critical flaw," first disclosed at the Black Hat conference in Las Vegas, that could allow an attacker to compromise a user's system.

The updates, Adobe Reader and Acrobat versions 9.3.4 and 8.2.4, fix an integer overflow error in the way the PDF viewer parses fonts. The vulnerability could allow an attacker to execute arbitrary code on an affected system, according to Adobe's security bulletin.

The flaw was disclosed by Charlie Miller, principal security analyst at consulting firm Independent Security Evaluators, during a Black Hat presentation. The bug can be exploited by an attacker to corrupt memory via a specially crafted PDF file, according to an advisory from security firm Secunia.

The vulnerability affects Adobe Reader 9.3.3 and earlier versions for Windows, Macintosh and UNIX, along with Adobe Acrobat 9.3.3 and earlier versions for Windows and Macintosh.

Adobe was considering releasing the fix during its normal quarterly cycle in October, but decided otherwise, even though there are no reported exploits.

Additionally, six Flash Player vulnerabilities, listed as "critical," were fixed in the code included in Thursday's Reader and Acrobat updates. The vulnerabilities, which were fixed in Flash Player itself on Aug. 10, could be exploited by an attacker to crash the multimedia application or take control of a user's system.

Reader and Acrobat ship with Flash Player code, so typically when there is an update to Flash, Adobe needs to make the same updates to the code in Reader and Acrobat, a company spokeswoman told in an email Thursday.

Flash Player is not affected by vulnerabilities in Reader and Acrobat. Only Reader and Acrobat are affected by certain vulnerabilities in Flash Player, the spokeswoman said.

Adobe is scheduled to release the next quarterly security updates for Reader and Acrobat on Oct. 12.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Tinba variant aimed at U.S., international banks

Tinba variant aimed at U.S., international banks

Researchers at AVAST have unlocked a Tinba variant and discovered it has been customized to target U.S. financial institutions.

Adobe makes delayed updates for Reader, Acrobat available

The Reader and Acrobat fixes were delayed a week due to issues found during testing.

Nigerian police search for ringleader in major bank heist

The suspect, Godswill Oyegwa Uyoyou, conspired with others to hack bank systems and divert 6.28 billion Naira to mule accounts.