Adobe patched a huge number of flaws in its Reader software on Windows and Mac OS X on Tuesday, many of which were reported to the company by members of Google’s internal security team, which had set up a long-term fuzzing program to look for interesting crashes in the embedded PDF viewer in the Chrome browser. However, the Google researchers said that there are still a number of serious vulnerabilities in the application running on Windows and OS X that Adobe failed to patch and so the researchers have released limited details on the bugs and some advice for users on how to mitigate the risks from the vulnerabilities.
The Google security team began a project earlier this year to find potentially exploitable crashes in Reader, one of the more widely deployed applications on the Web. The team had originally run the test against Chrome’s embedded PDF reader and come up with more than 50 bugs, ranging in severity from low to high, and reported them to Adobe. The company fixed all of the high and critical severity vulnerabilities in its patch release yesterday.
The Google team then turned their attention to the Adobe Reader application running on GNU Linux, tossing huge amounts of malformed data at it and came up with 60 crashes. They sent the data to Adobe, but none of the Linux flaws were fixed in the patch release on Tuesday. Also, the researchers said that there are still a number of outstanding vulnerabilities in the Windows and OS X versions of Reader that remain unpatched and they said that attackers may be able to find the flaws independently.
However, the vulnerabilities are in older, non-sandboxed versions of Reader. Users who run Adobe Reader X for Windows, which includes a sandbox to lessen the severity of attacks on certain bugs, are at less of a risk from these remaining vulnerabilities.
“Unfortunately, sixteen more crashes affecting Windows, OS X, or both systems remain unpatched. Considering that fixing the first twenty four crashes took twelve unique code fixes, it is expected that the remaining crashes might represent around eight more unique problems. Adobe plans to fix these remaining bugs and issue an update for the Linux version of Reader in an upcoming release. Though we have no evidence these bugs are being exploited today, we are concerned that functional exploits can be built without much effort based on knowledge derived from binary diffing of the old and newly patched Windows builds,” Mateusz Jurczyk and Gynvael Coldwind of Google wrote in an analysis of the bugs.
“Given this, we consider users of Adobe Reader to be exposed to serious risk. Using our thoughts on reasonable disclosure as a guide, we notified Adobe of our plans to publicly disclose information about any critical vulnerabilities which would remain unfixed 60 days beyond our initial contact. (Note: Adobe has confirmed they have no plans to issue additional out of band updates before August 27, which is 60 days after we disclosed all bugs. Since the Linux Reader version remains unpatched and the Windows / OS X patches are now available for diffing and reverse engineering, we have decided that it’s in the best interest of users to be aware of these security issues without additional delay.)”
The researchers have released the stack traces of the remaining unpatched flaws, but hid some of the information that attackers would need in order to locate and exploit the same crashes. Jurczyk and Coldwind recommend that, because there are no effective workarounds for the remaining flaws, users limit their use of Reader and not open PDFs sent from external sources.
Adobe releases patches for Reader on a regular schedule, but will sometimes push out updates outside of that schedule if there are critical bugs, especially if they’re publicly known and being used in attacks. But the Google team said Adobe doesn’t have immediate plans to do that in this case.