Adobe on Tuesday plugged 17 vulnerabilities in its flagship Reader and Acrobat software, including a zero-day flaw that is being used to launch in-the-wild attacks and another that takes advantage of a native PDF feature.
Users of Reader for Windows, Macintosh and UNIX are encouraged to upgrade to version 9.3.3, while users of Acrobat for Windows and Mac are being asked to do the same.
Included in the update was a fix for a dangerous vulnerability, disclosed in a June 4 advisory from Adobe, that could allow an attacker to take control of an affected system. The same bug also was present in Flash, though Adobe quickly pushed out a fix for that software. Attackers are leveraging the flaw in active exploits. Tuesday's quarterly update came two weeks earlier than schedule due to the severity of the zero-day.
Another of the fixes prevents attackers from using the PDF specification's "/Launch" function to enable the launching of scripts or .exe files embedded in PDF files that could be used in social engineering attacks or to spread worms.
Usually, a warning message is presented when an executable within a PDF is about to be launched. But researcher Didier Stevens on March 29 said he found a way to partially control the message displayed by this dialog box so that users were duped into clicking through.
"Today's update includes changes to resolve the misuse of this command," Steve Gottwals, group product manager at Adobe, wrote in a blog post. "We added functionality to block any attempts to launch an executable or other harmful objects by default. We also altered the way the existing warning dialog works to thwart the known social engineering attacks. If your organization relies on this capability, we recommend that the functionality be re-enabled."
Stevens, in a blog post Tuesday, illustrated what the "Launch File" dialog box looked like before and after the fix.
"Not only is the dialog box fixed, but the /Launch action is also disabled by default," he wrote.
Overall, 15 of the other 16 vulnerabilities patched in Reader and Acrobat on Tuesday could have led to code execution. The remaining bug only could be confirmed as a denial-of-service vulnerability, though Adobe did not rule out the possibility that code execution could be demonstrated.