Adobe PDF Reader Gets Another Security Makeover

Author: Ryan Naraine
minute read

Adobe has released a mega-update for its Reader and Acrobat software products to fix a total of eight documented security vulnerabilities. The update comes with significant security improvements, including the on-by-default addition “Enhanced Security,” a feature that provides a set of default restrictions and a method to define trusted locations that should not be subject to those restrictions.

Adobe has released a mega-update for its Reader and Acrobat software products to fix a total of eight documented security vulnerabilities.

The update comes with significant security improvements, including the on-by-default addition “Enhanced Security,” a feature that provides a set of default restrictions and a method to define trusted locations that should not be subject to those restrictions.

First up, here are the security vulnerabilities patched with this update:

  • This update resolves a use-after-free vulnerability in Multimedia.api that could lead to code execution (CVE-2009-4324). There are reports that this issue is being actively exploited in the
    wild; the exploit targets Adobe Reader and Acrobat 9.2 on Windows
    platforms.
  • This update resolves an array boundary issue in U3D support that could lead to code execution (CVE-2009-3953).
  • This update resolves a DLL-loading vulnerability in 3D that could allow arbitrary code execution (CVE-2009-3954).
  • This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2009-3955).
  • This update mitigates a script injection vulnerability by changing the Enhanced Security default (CVE-2009-3956).
  • This update resolves a null-pointer dereference vulnerability that could lead to denial of service (CVE-2009-3957).
  • This update resolves a buffer overflow vulnerability in the Download Manager that could lead to code execution (CVE-2009-3958).
  • This update resolves an integer overflow vulnerability in U3D support that could lead to code execution (CVE-2009-3959).

Adobe rates this a “critical” update on all platforms.  The flaws affect Adobe Reader 9.2 and Acrobat
9.2 for Windows, Macintosh and UNIX; and Adobe Reader 8.1.7 and Acrobat
8.1.7 for Windows and Macintosh.

These vulnerabilities could cause the
application to crash and could potentially allow an attacker to take
control of the affected system.

According to this document released alongside the patches, Adobe has turned on the Enhanced Security feature by default.

Enhanced security provides two tools designed to help you protect your
environment: a set of default restrictions and a method to define
trusted locations that should not be subject to those restrictions. In
other words, you can either block dangerous actions altogether or else
selectively permit them for locations and files you trust.

It also includes privileged location improvements, cross domain support, warning message and dialog improvements and the disabling of legacy multimedia support by default.

Adobe is also beta testing a new automatic updater for Reader and Acrobat.  By default, the updater will silently patch installations without user interaction.

Suggested articles

Cybersecurity for your growing business
Cybersecurity for your growing business

Topics

Show all

Authors

Threatpost

InfoSec Insider

Infosec Insider Post

Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Content

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.