Adobe to release out-of-sequence security update tomorrow
August 18, 2010
Earlier this morning, Adobe said it plans to release some out-of-sequence security updates tomorrow that are designed to plug some security flaws in its Acrobat and Reader PDF software. It was revealed at the recent Black Hat conference two weeks ago that Adobe's software was prone to attacks, even after the company said it released security patches for Adobe Reader on July 27.
Security updates for Adobe Reader 9.3.3 for Windows, Macintosh and Unix will accompany Adobe Acrobat 9.3.3 for Windows and Macintosh as well as cross-platform fixes for Adobe Reader 8.2.3 and Acrobat 8.2.3.
Tomorrow will also mark the availability of a cross-platform update for Adobe Flash Player 10.1.53.64 as well.
Security people at Adobe appear to be busy for now, but some are wondering if it's not 'too little too late'. In the last year, and especially in the last 3 to 4 months, Adobe has had more than its fair share of security issues with its PDF software. The overall popularity with the company's software now appears to be somewhat of a concern for more than one security analyst.
One such vulnerable version is Acrobat's Flash Player. An integer buffer overflow error in the CoolType.dll library packages for Windows creates a critical code injection hole, as explained in an advisory by Secunia Security.
Both security flaws were discovered by Charlie Miller of Independent Security Evaluators. Adobe's next scheduled quarterly security update would have fallen on October 12, but the Black Hat-discovered holes were too serious to wait for that, so the decision to push forward an earlier release was done by Adobe.
More details on the planned update can be found in Adobe's advisory on their site.
Similar attacks against Adobe's PDF software are second only to Microsoft as the favourite target for hacker attacks in the field.
Overall, Adobe is placing a lot of effort into improving its security patching and processes but the results, for now at least, remain unsure at best.
The software maker's frequent security updates are a little hard to understand as a result.
Case in point: Less than two weeks ago, an Internet security researcher has uncovered a second vulnerability in Adobe Reader that allows potential hackers to execute malicious code on PCs by tricking their users into opening booby-trapped files.
Charlie Miller, principal security analyst at Independent Security Evaluators, disclosed the critical security flaw at last week's Black Hat security conference in Vegas.
It stems from an integer overflow in part of the application that parses fonts, he said.
This leads to a RAM memory allocation that's too small, allowing attackers to run code of their choosing on the underlying machine. There are no reports of the flaw being targeted for malicious purposes, however.
Details of Miller's discovery come as hackers are exploiting a separate font-parsing bug in the PDF reader built by Apple to jailbreak the latest iPhone. While the hack is harmless, security firms including Symantec and McAfee have warned that the underlying flaw, when combined with a second one, could be used to execute malicious code on the Apple smartphone.
Apple has yet to acknowledge the vulnerabilities, however. Phone calls to the company weren't returned as of yesterday, but Adobe did confirm the second security flaw on its website.
Brad Arkin, senior director of product security and privacy at Adobe, said members of the company's security team attended Miller's talk and have since confirmed his claims that the vulnerability can lead to remote code execution.
The security team is in the process of developing a fix and deciding whether to distribute it during Adobe's next scheduled update release or as an “out-of-band” fix that would come out in the next few weeks.
“There's some information in the slides and screenshots of some of the crash information. As we evaluate what's the right response, we're going to look into the issue and decide if that information is sufficient and if so, how long would it take for someone with malicious intent to convert that into a successful exploit,” added Arkin.
Miller's discovery is the latest in documenting a security vulnerability in Adobe Reader that puts its users at risk of attacks that can surreptitiously install malware and viruses that steal computer passwords or other sensitive and personal data.
The security vulnerability affects all versions for Windows, Unix and Mac OS X.
Key to the decision is determining whether there are enough details available from Miller's talk for the vulnerability to be exploited in real-world attacks.
Miller discussed the unpatched Adobe Reader hole during a demonstration of a security software tool called BitBlaze, which helps security researchers analyze bugs.
The tool was also instrumental in helping Miller gain insights into two additional exploitable security holes in OpenOffice that still remain unpatched as of today.
You can link to the Internet Security web site as much as you like.