Multiple critical flaws fixed in Adobe Acrobat, Reader

Stephen Withers
Thursday, 14 January 2010 01:41

Business IT - Security

Critical updates to Adobe Acrobat and Reader fix eight vulnerabilities. Versions for all supported platforms are affected.

Adobe Acrobat 9.3 and Adobe Reader 9.3 deliver fixes for eight vulnerabilities that can cause crashing and potentially the execution of arbitrary code. The update is the latest in Adobe's recently adopted pattern of quarterly updates.

For Windows and Mac users who are forced (or have particular reasons to choose) to stay with version 8 of the programs, Adobe has also released updaters to version 8.2.

The updates address a variety of vulnerabilities, not just the common buffer overflows. The good news is that Adobe is warning that just one of the vulnerabilities (involving JavaScript) is being actively exploited, and only on Windows.

Adobe is using the release of 9.3 to test a new update mechanism with customers enrolled in a beta program. The new updater was delivered in October 2009 as part of the 9.2 and 8.1.7 updates, but was 'switched off' for most users.

The objective is to provide a more streamlined and automated update process. If this month's trial is successful, the new updater could be activated in April.

Reader product manager Steve Gottwals noted that the January updates reset the Blacklist Framework mitigation that was previously released as temporary protection against the JavaScript exploit, unless the mitigation was deployed to a "locked down" area in which case it must be manually reset.
 
Gottwals also pointed out that Reader 7 and Acrobat 7 have reached the end of their support periods and consequently are no longer being updated. The same applies to Reader Unix 8.

Users of unsupported versions of the products are strongly recommended to update to newer versions. While that's standard advice, it also hints of a warning that one or more of the flaws fixed in 9.3 are present in version 7.