Adobe Fixes 29 Vulnerabilities in Acrobat and Reader

By Jennifer LeClaire, newsfactor.com - Wed Oct 14, 2009 11:41AM EDT
While IT administrators around the world had their hands full planning to implement the largest-ever set of patches from Microsoft on Tuesday, another software maker quietly rolled out a massive fix of its own.
On what will go down in IT admin history as a day of headaches, Adobe Systems rolled out updates for both Acrobat and Reader on Tuesday. The updates address 29 critical security vulnerabilities for the PDF applications, which are used across business and consumer PCs around the world.
Despite a hyper-focus on Microsoft's patches, security researchers warn not to put off dealing with Adobe security fixes. The one-two punch spells long nights for IT administrators.
"Compound Tuesday's Microsoft release with the Adobe quarterly release and we are certain to see some enterprise teams become flustered," said Andrew Storms, director of security operations for nCircle. "The key for security and IT organizations managing today's deluge of patches is to maintain focus and diligence with patch-management practices."
Critical Vulnerabilities
According to Adobe's security bulletin, critical vulnerabilities have been identified in Adobe Reader 9.1.3 and Acrobat 9.1.3; Adobe Reader 8.1.6 and Acrobat 8.1.6 for Windows, Macintosh and UNIX; and Adobe Reader 7.1.3 and Acrobat 7.1.3 for Windows and Macintosh.
Adobe said these vulnerabilities could cause the applications to crash and potentially allow an attacker to take control of a PC. The vulnerabilities are many, ranging from heap-overflow issues to memory-corruption issues to invalid-array-index issues to remote-exploitation issues. Adobe acknowledged reports that some of the issues are being exploited in the wild.
Adobe recommends that consumers who use Adobe Reader 9.1.3 and Acrobat 9.1.3 and earlier versions update to Adobe Reader 9.2 and Acrobat 9.2. The company also recommends users of Acrobat 8.1.6 and earlier versions update to Acrobat 8.1.7, and users of Acrobat 7.1.3 and earlier versions update to Acrobat 7.1.4. For Adobe Reader users who cannot update to Adobe Reader 9.2, the company has provided the Adobe Reader 8.1.7 and Adobe Reader 7.1.4 updates.
'The Most Critical Kind of Bugs'
"All users of Adobe Reader or Acrobat will need to update their software with this release because these updates include fixes for the most critical kind of bugs," Storms said. "Several of these could let an attacker take remote control of a user's computer."
Storms sees a stark contrast between the patches from Adobe and Microsoft on Tuesday. Microsoft issued 34 bug fixes, but they were spread over 12 different products. On the other hand, Adobe fixed nearly 30 bugs in just two products.
"Every security team is hoping that future quarterly security releases from Adobe will not be this massive," Storms said. With Microsoft just releasing its largest-ever set of security bulletins, analysts could say the same thing about the software giant.