Adobe Patches Critical Vulnerabilities In Acrobat & Acrobat Reader

Software maker Adobe Systems has released update patches for two critical security vulnerabilities for its popular PDF editing software Adobe Reader and Adobe Acrobat, fulfilling the promise which company made last week when the vulnerabilities were discovered.

The first flaw was somewhat similar to the cross-domain request vulnerability that was recently fixed in Flash Player while the second was a vulnerability that hackers might exploit to install malware on a targeted machine.

The Flash Player flaw was a critical vulnerability as the application is sometimes used to open files containing Flash.

According to the statement issued by the company, the Flash Player vulnerability, which was tagged as CVE-2010-0186, cannot be exploited for injecting malicious bugs in the system but can be easily used by information hackers in a cross-site scripting attack.

The second critical flaw, which was tagged as CVE-2010-0188, was reported by Microsoft's Vulnerability Research Program and was capable of causing a crash in the system or execution of a remote code.

As a side note, Adobe commended the great work done by Microsoft who identified and then brought the issue to Adobe's attention.

Our Comments

Andrew Storms, director of security operations at nCircle Network Security, commenting on the two critical vulnerabilities, told Computer weekly that “Now we know that there's a vulnerability in Reader and Acrobat, but because Adobe's gone out-of-band it's going to draw attention from researchers. The rush is on to disassemble the patch and reverse-engineer an exploit.”

Related Links

Adobe rushes out two patches

(The Inquirer)

Update: Adobe issues emergency PDF patches

(Computer World)

Adobe Releases Security Update for Acrobat, Reader

(PC Mag)

Two critical holes closed in Adobe Reader and Acrobat