In addition to today’s Microsoft updates, users of Adobe’s Reader and Acrobat software on both Windows and Apple systems need to update their software ASAP. Adobe released Bulletin APSB11-24, addressing at least thirteen memory corruption flaws, and several privilege escalation, logic flaw, and bypass issues.
In today’s earlier post about Microsoft’s patched vulnerabilities, Excel was highlighted as the target of choice in many targeted attacks. Along those lines, Adobe’s Reader and Flash are among the most commonly exploited software applications that are attacked by professional attackers.
I hope by now, if you installed Adobe’s pdf reader on your system, that you are using their newest version of the product, Reader X. It includes some fantastic sandboxing security functionality. But even this layer of security is not the perfect solution, as a vulnerability in it is being patched this month. Reader X sandbox attack 0day was even publicly demonstrated at Blackhat presentation “Playing In The Reader X Sandbox” a month ago. But it is a great layer of security and a great step forward for Adobe’s security team. To manually update Reader X, you can open “Reader X -> Help -> Check for Updates” and follow the instructions to download and install the updates from there.
Much like the Microsoft vulnerabilities, most of the issues are heap overflow based. But unlike most of the publicly described Microsoft vulnerabilities, these Adobe flaws continue to include a list of five stack overflow vulnerabilities. For a software vendor with a massive install base like Reader’s, this performance is just poor. Automated auditing tools for detecting stack overflow issues and focusing efforts to fix them have been available and enhanced for years now to organize and direct necessary code cleanup efforts. The contrast underscores the huge advances that Microsoft has made auditing their own code in comparison to other vendors.
Also along the lines of today’s previous post, Reader is frequently an effectively exploited software in targeted attacks. It is abused in much larger volumes by exploit pack developers and operators. Not only should corporate users, including legal staff, top level executive and board staff, admin assistants, political activists and HR folks be highly sensitive to flaws in their Adobe Reader and Flash software, but home users are getting hit by this stuff daily too. On bad days, Adobe exploit preventions run into the hundreds of thousands due to implementation and distribution in the Blackhole Exploit Pack, Phoenix Exploit Pack, and the underground’s mastery of blackhat SEO and malvertizing techniques. Patch immediately.
Adobe September 2011 Patch Release