Adobe patches 8 bugs in popular PDF apps

Fifth update to Reader this year fixes JavaScript flaw, other bugs

Adobe Systems Tuesday patched its Reader application for the fifth time this year, plugging eight security holes, including one that was reported to the company more than five months ago.

In late May, researchers at Core Security Technologies told Adobe of a critical vulnerability in Adobe Reader and Adobe Acrobat, the free-of-charge and for-a-fee programs, respectively, that handle PDF (Portable Document Format) files. The bug, which could be used by hackers to launch attack code against Windows, Mac or Linux computers, was found in older versions of the software.

Version 8.1.2 of Acrobat and Reader harbor the vulnerability, Core Security said in an advisory issued early Tuesday. Newer versions of the programs, Acrobat 9 and Reader 9, which were released in June, are immune.

Attackers could exploit the buffer overflow vulnerability with specially crafted PDF files, Core Security said.

Reader 8.1.2 was itself prompted by several bugs, some of which were actively exploited in the wild before Adobe could issue the update last February. In June, Adobe released a security update to 8.1.2 to plug yet another hole. That vulnerability had also been exploited by attackers before Adobe reacted.

At the time, a security expert blasted Adobe for what he called an "epidemic" of JavaScript bugs in Reader and Acrobat.

The flaw disclosed Tuesday by Core Security also involved JavaScript. "The vulnerability is caused due to a boundary error when parsing format strings containing a floating point specifier in the 'util.printf()' JavaScript function," said Core Security's advisory.

Core Security uncovered the bug when it dug into an earlier-reported vulnerability in Foxit Reader, a free Reader clone available for Windows and Linux. Although that bug was found to be harmless to Adobe's applications, on further review, Core Security found a second flaw that could, in fact, be used to attack systems.

Core Security reported its findings to Adobe on May 20, but numerous back-and-forths and two patch postponements delayed the coordinated release of security advisories until Tuesday.

Ironically, while Foxit was able to patch against its bug in less than a month, Adobe took more than five times longer to issue fixes for its Acrobat and Reader. Ivan Arce, Core Security's chief technology officer, declined to speculate about why Adobe took so long to patch its programs, other than to point out that Tuesday's update fixed eight flaws altogether.

Join the PC World newsletter!

Error: Please check your email address.

Tags Applesecurity patch

Struggling for Christmas presents this year? Check out our Christmas Gift Guide for some top tech suggestions and more.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?