Adobe Issues Critical Acrobat, Reader Updates
Adobe has issued a software update to fix at least eight security flaws in its Acrobat and Adobe Reader applications, that if left unpatched could be used by attackers to take control of vulnerable systems, the company said. The vulnerabilities affect Acrobat and Reader versions 8.1.2 and earlier.
Adobe characterizes this as a "critical" update -- its most serious rating -- meaning the flaws could let an attacker run and install malicious software on a victim's computer without the victim's knowledge.
Updates are available for Reader versions on Microsoft Windows, Linux/Solaris and Mac OS X.
The software maker says users with Adobe Reader 8.0 through 8.1.2, who can't update to Adobe Reader 9, should update to Adobe Reader 8.1.3, and that the latest full version of both products, Adobe Reader 9 and Acrobat 9, are not vulnerable to these issues. Links to updates for different versions of Acrobat are available in Adobe's security advisory.
Adobe adds that it is not aware of any reports that these issues are being exploited in the wild. Rather, all were privately reported to the company. Interestingly, six out of eight of the flaws were reported to Adobe by researchers who sold the information to vulnerability management firms like iDefense and TippingPoint.
These companies and others that buy up vulnerability findings from researchers, yet also mange the notification of the affected vendors, often have been criticized by many in the security community for cashing in on security flaws. Like it or not, however, the research these firms purchase is making up an increasing share of the flaws fixed in a number of major commercial software updates.
By Brian Krebs |
November 5, 2008; 7:00 AM ET
Latest Warnings
,
Misc.
,
New Patches
,
Safety Tips
Previous: Election Hoax Sent Via D.C. Based E-Campaign Group |
Next: Malware Piggybacks on Obama Win
Posted by: moike | November 5, 2008 8:28 AM
There is an alternative. "FixIt" is a great .pdf reader that takes up much fewer resources than Adobe and is also faster. It also doesn't get pushed out with junk attached like moike points out.
On a side note, Quicktime is starting to package extra junk too. If installing that, make sure you de-select it (unless you want it of course).
Posted by: hokiealumnus | November 5, 2008 9:01 AM
Err ...typo. The program is "FoxIt". Get it here: http://www.foxitsoftware.com/pdf/rd_intro.php
Posted by: hokiealumnus | November 5, 2008 9:02 AM
BK, do you know someone at Adobe I could contact directly for help with Flash Player? I tried going through the customer service portal, but the guy just gave me boilerplate answers that didn't help, and I haven't heard back from him in five days.
I have the latest version of the Firefox player installed, but many websites can't detect it. One of the pages that doesn't work is the "Test Drive" feature in the Post's Sunday Source section.
I think a registry cleaner I used may have messed up the permissions for the program, but I'm not sure how to confirm that.
I've tried uninstalling and reinstalling the player several times, and made sure the Adobe files were gone before reinstalling. Javascript is enabled.
This is getting frustrating. Thank you for any suggestions you (or others) can offer me.
Posted by: Heron | November 5, 2008 2:29 PM
Heron -- Forgive me for asking the obvious, but are you using Noscript for Firefox? That blocks most flash by default. Anyway, just thought I'd start with the obvious.
Posted by: BTKrebs | November 5, 2008 2:33 PM
Yes, I use NoScript, but I have it set up to allow the features I like. This problem started several weeks ago; before then, I didn't have any trouble with Flash.
Posted by: Heron | November 5, 2008 2:42 PM
Oh, and I know it's not NoScript's fault, since Flash doesn't work correctly on those sites in IE or Opera, either.
Posted by: Heron | November 5, 2008 3:01 PM
I have an "interesting" problem: I can't update OR delete Adobe Reader. Every time I try I end up with a message saying, in effect, it needs Adobe Reader 7.0.5.msi to proceed. I point the message to the file I have by that name, but it only comes back with the same message.
Anyone have any thoughts on how to delete and reinstall the Reader.
Posted by: jim98851 | November 6, 2008 8:42 AM
Jim -- Have you tried the suggestions at this page here?
http://kb.adobe.com/selfservice/viewContent.do?externalId=kb400654&sliceId=2
Posted by: Brian Krebs | November 6, 2008 11:40 AM
Jim -- Also, Microsoft's uninstall cleanup utility may be of use here:
http://support.microsoft.com/default.aspx?scid=kb;en-us;290301
Posted by: Brian Krebs | November 6, 2008 11:42 AM
"... Adobe... is not aware of any reports that these issues are being exploited in the wild..."
That changed today: http://isc.sans.org/diary.html?storyid=5312
Last Updated: 2008-11-07 15:54:09 UTC
Time for Foxit (free): http://www.foxitsoftware.com/downloads/
Latest version: Foxit Reader 2.3 (.exe) 2.3 Build 3309
.
Posted by: PC-tech | November 7, 2008 1:41 PM
Post a Comment
We encourage users to analyze, comment on and even challenge washingtonpost.com's articles, blogs, reviews and multimedia features.
User reviews and comments that include profanity or personal attacks or other inappropriate comments or material will be removed from the site. Additionally, entries that are unsigned or contain "signatures" by someone other than the actual author will be removed. Finally, we will take steps to block users who violate any of our posting standards, terms of use or privacy policies or any other policies governing this site. Please review the full rules governing commentaries and discussions.
This is very convenient for Adobe. Adobe 9 is silently packaged with something called "Adobe Air" and "Acrobat.com".