Risk
11/16/2010
05:12 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

Emergency Patch From Adobe Arrives

Adobe today released a patch designed to patch a number of critical flaws in Adobe Reader. You'll want to patch this one, quickly.

Adobe today released a patch designed to patch a number of critical flaws in Adobe Reader. You'll want to patch this one, quickly.Breaking from its normal quarterly security patch cycle, Adobe today released patches that fix several serious vulnerabilities in Adobe Reader, in addition to an Adobe Flash. Rather than waiting, Adobe issued the patches prior to its next scheduled update because a number of the vulnerabilities have been under active attack.

For instance, the recently uncovered Flash bug has been actively exploited in attacks against Adobe Reader for a few weeks now. From the Adobe Product Security Incident Response Team (PSIRT) blog:

Today, a Security Bulletin (APSB10-28) has been posted regarding security releases for Adobe Reader and Acrobat. The updates address critical security issues in the products, including CVE-2010-3654 noted in Security Advisory APSA10-05 and CVE-2010-4091 referenced in the Adobe PSIRT blog ("Potential issue in Adobe Reader"), as well as the vulnerabilities addressed in the November 4 Adobe Flash Player update as noted in Security Bulletin APSB10-26. Adobe recommends that users apply the updates for their product installations.

Note that today's updates represent and out-of-cycle release. The next quarterly security updates for Adobe Reader and Acrobat are scheduled for February 8, 2011.

It's important to note that these vulnerabilities affect multiple platforms, from Adobe's security bulletin:

Critical vulnerabilities have been identified in Adobe Reader 9.4 (and earlier versions) for Windows, Macintosh and UNIX, and Adobe Acrobat 9.4 (and earlier 9.x versions) for Windows and Macintosh. These vulnerabilities could cause the application to crash and potentially allow an attacker to take control of the affected system.

If you haven't yet, update to Adobe Reader 9.4. If you'd like more information, see Adobe's Security Bulletin APSB10-28. For my security and technology observations throughout the day, find me on Twitter.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-0279
Published: 2015-03-26
JBoss RichFaces before 4.5.4 allows remote attackers to inject expression language (EL) expressions and execute arbitrary Java code via the do parameter.

CVE-2015-0635
Published: 2015-03-26
The Autonomic Networking Infrastructure (ANI) implementation in Cisco IOS 12.2, 12.4, 15.0, 15.2, 15.3, and 15.4 and IOS XE 3.10.xS through 3.13.xS before 3.13.1S allows remote attackers to spoof Autonomic Networking Registration Authority (ANRA) responses, and consequently bypass intended device an...

CVE-2015-0636
Published: 2015-03-26
The Autonomic Networking Infrastructure (ANI) implementation in Cisco IOS 12.2, 12.4, 15.0, 15.2, 15.3, and 15.4 and IOS XE 3.10.xS through 3.13.xS before 3.13.1S allows remote attackers to cause a denial of service (disrupted domain access) via spoofed AN messages that reset a finite state machine,...

CVE-2015-0637
Published: 2015-03-26
The Autonomic Networking Infrastructure (ANI) implementation in Cisco IOS 12.2, 12.4, 15.0, 15.2, 15.3, and 15.4 and IOS XE 3.10.xS through 3.13.xS before 3.13.1S allows remote attackers to cause a denial of service (device reload) via spoofed AN messages, aka Bug ID CSCup62315.

CVE-2015-0638
Published: 2015-03-26
Cisco IOS 12.2, 12.4, 15.0, 15.2, and 15.3, when a VRF interface is configured, allows remote attackers to cause a denial of service (interface queue wedge) via crafted ICMPv4 packets, aka Bug ID CSCsi02145.

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.