bit-tech.net

Adobe plans emergency Reader patch

Adobe plans emergency Reader patch

Adobe's Reader and Acrobat packages are once again under attack, with an emergency patch planned.

Adobe has found itself in the security limelight again - and not in a good way - following the discovery of another major security vulnerability in the company's Reader and Acrobat software packages.

As reported over on InforWorld, the flaw was announced by security supremo Charlie Miller at this year's Black Hat security conference and holds the - as yet, unproven - potential to allow remote code execution.

The flaw resides in the way that Adobe Reader and Acrobat handle the rendering of TrueType fonts: by embedding a maliciously-crafted font into a PDF, sections of memory can be overwritten - at best crashing the machine and at worst allowing an attacker to execute malicious code.

As there is the potential for remote code execution, Adobe is taking the flaw seriously: so much so, in fact, that the company is planning an emergency, out-of-cycle patch release specifically to address the flaw.

Due for release in the week starting the 16th of August, the emergency patch will fix both the font rendering vulnerability publicised by Miller and a raft of other security flaws which Adobe is not making public until closer to the time of release.

Although a fix is coming, it's another embarrassment for a company which has had more than its fair share of security scares over the last few years - although it makes a change for the flaw not to be the result of the JavaScript implementation in Adobe Reader.

Are you surprised to find that Adobe's PDF-related software is still full of holes, or does each patch release give you hope that maybe, just maybe, they've fixed it this time? Share your thoughts over in the forums.

9 Comments

Discuss in the forums Reply
J05H11E 6th August 2010, 11:35 Quote
another font-related flaw :)
Aracos 6th August 2010, 13:08 Quote
Does anyone actually use this anymore?
Jim 6th August 2010, 14:15 Quote
I thought for a minute that they'd finally realised it runs like a dog
sear 6th August 2010, 14:24 Quote
Or you can just use Foxit Reader or Sumatra PDF and save yourself all this trouble...
DriftCarl 6th August 2010, 15:46 Quote
im always suprised at the amount of critical bugs that come out of adobe reader when all it really does is show a pdf. I bet theres loads of features in pdf's that noone really uses.
FvD 6th August 2010, 17:52 Quote
Quote:
Originally Posted by DriftCarl
im always suprised at the amount of critical bugs that come out of adobe reader when all it really does is show a pdf. I bet theres loads of features in pdf's that noone really uses.

A nice idea comes to mind:

*.spdf Simple Portable Document Format (you read it here first!)
  • no external hyperlinking
  • no custom/embedded fonts
  • no eval()
  • just plain text and eps graphics

But then, you could use LaTeX for that ( with the option to convert to ps or pdf )
Bakes 6th August 2010, 19:36 Quote
Quote:
Although a fix is coming, it's another embarrassment for a company which has had more than its fair share of security scares over the last few years

*cough* record patch tuesday *cough*.

I don't know why everyone rails against Adobe, every tech company has had lots of security issues, Apple (numerous safari bugs), Microsoft (help, shortcuts, conficker, etc) and to single on Adobe for a flaw that was discovered by a white-hat researcher, disclosed and fixed before any exploitation of the flaw just seems unfair. Surely Adobe should be praised for reacting in a timely fashion?
jasonjax1 9th August 2010, 12:21 Quote
Hmmm that many bugs, not really surprised. it is a good platform, but is rarely seen to have bugs in it compare to others like Bakes said.

I have problems with adobe, but I use foxit as an easy and obvious cheap alternative.
perplekks45 10th August 2010, 08:16 Quote
It's rarely seen to have bugs in it?
Well, okay. I'll go tell our security department they've been worried for nothing ever since the introduction of Adobe's products... :|

There is a reason we're forcing the latest stable versions of Shockwave & Flash on 2000 clients this week...
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums