Risk
11/16/2010
05:12 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

Emergency Patch From Adobe Arrives

Adobe today released a patch designed to patch a number of critical flaws in Adobe Reader. You'll want to patch this one, quickly.

Adobe today released a patch designed to patch a number of critical flaws in Adobe Reader. You'll want to patch this one, quickly.Breaking from its normal quarterly security patch cycle, Adobe today released patches that fix several serious vulnerabilities in Adobe Reader, in addition to an Adobe Flash. Rather than waiting, Adobe issued the patches prior to its next scheduled update because a number of the vulnerabilities have been under active attack.

For instance, the recently uncovered Flash bug has been actively exploited in attacks against Adobe Reader for a few weeks now. From the Adobe Product Security Incident Response Team (PSIRT) blog:

Today, a Security Bulletin (APSB10-28) has been posted regarding security releases for Adobe Reader and Acrobat. The updates address critical security issues in the products, including CVE-2010-3654 noted in Security Advisory APSA10-05 and CVE-2010-4091 referenced in the Adobe PSIRT blog ("Potential issue in Adobe Reader"), as well as the vulnerabilities addressed in the November 4 Adobe Flash Player update as noted in Security Bulletin APSB10-26. Adobe recommends that users apply the updates for their product installations.

Note that today's updates represent and out-of-cycle release. The next quarterly security updates for Adobe Reader and Acrobat are scheduled for February 8, 2011.

It's important to note that these vulnerabilities affect multiple platforms, from Adobe's security bulletin:

Critical vulnerabilities have been identified in Adobe Reader 9.4 (and earlier versions) for Windows, Macintosh and UNIX, and Adobe Acrobat 9.4 (and earlier 9.x versions) for Windows and Macintosh. These vulnerabilities could cause the application to crash and potentially allow an attacker to take control of the affected system.

If you haven't yet, update to Adobe Reader 9.4. If you'd like more information, see Adobe's Security Bulletin APSB10-28. For my security and technology observations throughout the day, find me on Twitter.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7444
Published: 2015-09-01
The Special:Contributions page in MediaWiki before 1.22.0 allows remote attackers to determine if an IP is autoblocked via the "Change block" text.

CVE-2015-2807
Published: 2015-09-01
Cross-site scripting (XSS) vulnerability in js/window.php in the Navis DocumentCloud plugin before 0.1.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the wpbase parameter.

CVE-2015-6520
Published: 2015-09-01
IPPUSBXD before 1.22 listens on all interfaces, which allows remote attackers to obtain access to USB connected printers via a direct request.

CVE-2015-6727
Published: 2015-09-01
The Special:DeletedContributions page in MediaWiki before 1.23.10, 1.24.x before 1.24.3, and 1.25.x before 1.25.2 allows remote attackers to determine if an IP is autoblocked via the "Change block" text.

CVE-2015-6728
Published: 2015-09-01
The ApiBase::getWatchlistUser function in MediaWiki before 1.23.10, 1.24.x before 1.24.3, and 1.25.x before 1.25.2 does not perform token comparison in constant time, which allows remote attackers to guess the watchlist token and bypass CSRF protection via a timing attack.

Dark Reading Radio
Archived Dark Reading Radio
Another Black Hat is in the books and Dark Reading was there. Join the editors as they share their top stories, biggest lessons, and best conversations from the premier security conference.