Adobe Reader and Acrobat 9.3.4 Plagued by 0-day Vulnerability
Article by George Norman
On 10 Sep 2010
UPDATE September 14: Adobe announced a fix will be issued during the week of October 4. Adobe also announced Flash Player 10.1 is plagued by critical vulnerability that also affects Adobe Reader and Adobe Acrobat. A patch for this issue will also be released during the week of October 4.

UPDATE 13 September: Adobe updated the security advisory to include a mitigation option for Windows users: use EMET 2.0 to prevent the exploitation of the Adobe Reader and Adobe Acrobat vulnerability mentioned below.

Advertising

Adobe Reader 9.3.4 and earlier versions for Windows, Mac and UNIX, as well as Adobe Acrobat 9.3.4 and earlier versions for Windows and Mac, are plagued by a critical vulnerability announced Adobe, the California-based company that specializes in creating multimedia and creativity software products. As Adobe explained, if someone with malicious intent exploited this vulnerability, that person could crash the targeted system and even take control of the targeted system.

Adobe has posted a security advisory in regards to the newly discovered vulnerability. In the advisory Adobe says the following:

“Adobe is in the process of evaluating the schedule for an update to resolve this vulnerability. Adobe actively shares information about this and other vulnerabilities with partners in the security community to enable them to quickly develop detection and quarantine methods to protect users until a patch is available. As always, Adobe recommends that users follow security best practices by keeping their anti-malware software and definitions up to date.”

So let’s recap: we have a critical vulnerability that could allow an attacker to crash and potentially take over the targeted machine. Adobe Reader 9.3.4 and previous versions are all affected; Adobe Acrobat 9.3.4 and previous versions are affected as well. Adobe does not yet now the precise date when it will release a fix for this issue.

Ready for something even worse? Here goes: the vulnerability that Adobe said it is aware of is actively being exploited in the wild. “There are reports that this vulnerability is being actively exploited in the wild,” said David Lenoe on behalf of the Adobe Product Security Incident Response Team.

The fact that the vulnerability is being exploited in the wild has been confirmed by McAfee, company that specializes in providing security software solutions for home and business users. McAfee said the vulnerability is a typical stack buffer overflow that occurs while Adobe Reader is parsing TrueType Fonts. The security company, which has entered a definitive agreement to be acquired by Intel, added that exploiting this vulnerability is expected to be a relatively easy task.

“Although the latest version of Reader has been compiled with stack protection (/GS), the exploit uses an Return Oriented Exploitation (ROP) technique to bypass /GS protection and data execution prevention (DEP). McAfee Labs is coordinating with Adobe PSIRT, and we’ve provided them with additional details on the bug. Adobe Acrobat users are urged to update their security definitions for the various products,” said McAfee’s Xiao Chen.



Tags: Adobe, Adobe Reader, Adobe Acrobat, Security, McAfee
About the author: George Norman
George is a news editor.
You can follow him on Google+, Facebook or Twitter

I Hope you LIKE this blog post! Thank you!
What do YOU have to say about this
blog comments powered by Disqus
Popular News
By George Norman on 17 Aug 2017
With the blockbuster movie season upon us, Sony decided to celebrate the occasion with a sale: the Attack of the Blockbusters Sale that offers discounts of up to 50% (60% if you’re a PlayStation Plus member) on a ton of PS4 video games.
By George Norman on 17 Aug 2017
Samsung’s new T5 portable solid-state drive (PSSD) uses the latest 64-layer V-NAND technology, offers between 250GB and 2TB of storage capacity, has a lightweight and shock-resistant design that’s smaller than the average business card, and delivers industry-leading transfer speeds of up to 540 MB/s.
Related News
By George Norman on 31 May 2017
Having lots of devices connected to your network and the internet isn't a problem, as long as you keep the bad guys out of the picture. That’s crucial, because they'll exploit any vulnerability that they can find.
By George Norman on 17 Jul 2017
If you want top notch protection for your Windows computer, you can’t go wrong by getting something developed by the internationally renowned security company Kaspersky Lab. The problem is that…
By George Norman on 26 Jul 2017
Top-notch real-time protection against viruses doesn’t have to cost money, not if you go with the recently introduced Kaspersky Free antivirus solution. It may not come with a lot of bells and whistles, but it nicely covers all the basics and...
By George Norman on 31 Jul 2017
Are people taking better care of their passwords, or have their password habits changed for the worse? To get an answer to that question, data loss prevention software company Digital Guardian surveyed a thousand people about their password security habits and found that...
Sponsored Links
Hot Software Updates
Top Downloads
Become A Fan!
Link To Us!
Adobe Reader and Acrobat 9.3.4 Plagued by 0-day Vulnerability
HTML Linking Code