Adobe
today released an out-of-band security update to patch a pair of gaping
holes that expose hundreds of millions of computer users to remote code
execution attacks.
The vulnerabilities are rated “critical” and affect Adobe Reader and Adobe Acrobat on all platforms — Windows, Mac and Linux.
This
PDF Reader/Acrobat update falls outside of the company’s scheduled
quarterly patch cycle. It is not yet clear why Adobe opted for an
out-of-band patch but the presence of Microsoft’s security research
team as a flaw-finder on this bulletin suggests Redmond may have
pressured Adobe to rush out a fix.
Adobe insists there are no active attacks or exploit code publicly available.
There is also a clear connection to a patch released last week
for Adobe Flash Player. That Flash patch covered a hole
(CVE-2010-0186) that could subvert the domain sandbox and make
unauthorized cross-domain requests.
In today’s Reader/Acrobat bulletin, the same vulnerability is
referenced as affecting Adobe Reader 9.3 for Windows, Macintosh and
UNIX, Adobe Acrobat 9.3 for Windows and Macintosh, and Adobe Reader 8.2
and Acrobat 8.2 for Windows and Macintosh.
Adobe also credited Microsoft’s researcher with discovering a a critical
vulnerability (CVE-2010-0188) that could cause the application to
crash and could potentially allow an attacker to take control of the
affected system.
From the advisory:
> Adobe recommends users of Adobe Reader 9.3 and earlier
versions for Windows, Macintosh and UNIX update to Adobe Reader 9.3.1.
(For Adobe Reader users on Windows and Macintosh who cannot update to
Adobe Reader 9.3.1, Adobe has provided the Adobe Reader 8.2.1 update.)
Adobe recommends users of Adobe Acrobat 9.3 and earlier versions for
Windows and Macintosh update to Adobe Acrobat 9.3.1. Adobe recommends
users of Acrobat 8.2 and earlier versions for Windows and Macintosh
update to Acrobat 8.2.1.
Adobe is shipping these patches via the product’s automatic update
facility. The default installation configuration runs automatic updates
on a regular schedule, and can be manually activated by choosing Help
> Check For Updates Now.
UPDATE: Adobe spokeswoman Wiebke Lips answers some of the lingering questions:
Why go out-of-band with this update? Are there attacks or exploit code in
the wild?
The
Flash Player vulnerability we fixed on February 11 also affects Adobe Reader
and Acrobat. Rather than waiting for the next quarterly update for Adobe Reader
and Acrobat, which is scheduled for April, Adobe decided to make this fix
available as an out-of-cycle update. Adobe
is not aware of any exploits in the wild for any of the issues patched in this release.
It looks like the Adobe Flash Player flaw from
last week now affects Reader/Acrobat. Are you planning on updating the
Flash bulletin with this
information?
We
actually already disclosed this information on February 11 by issuing a
separate advisory for Adobe Reader and Acrobat, which discussed the Flash
Player vulnerability.
Is there a link between Microsoft finding/reporting the code execution
bug and the out-of-band release?
No — other than the fact that this particular vulnerability is also fixed in
this update. We decided to go out-of-cycle because of the Flash Player
vulnerability we fixed on February 11 and which also affects Adobe Reader and
Acrobat. Rather than waiting for the next quarterly update for Adobe Reader and
Acrobat, which is scheduled for April, Adobe made the decision to make this fix
available as an out-of-cycle update.