Adobe issues emergency patch for Reader, Acrobat

Adobe has issued an emergency fix for Reader and Acrobat to address a "critical flaw", first disclosed at the Black Hat conference in Las Vegas, that could allow an attacker to compromise a user's system.

The updates, Adobe Reader and Acrobat versions 9.3.4 and 8.2.4, fix an integer overflow error in the way the PDF viewer parses fonts. The vulnerability could allow an attacker to execute arbitrary code on an affected system, according to Adobe's security bulletin.

The flaw was disclosed by Charlie Miller, principal security analyst at consulting firm Independent Security Evaluators, during a Black Hat presentation. The bug can be exploited by an attacker to corrupt memory via a specially crafted PDF file, according to an advisory from security firm Secunia.

The vulnerability affects Adobe Reader 9.3.3 and earlier versions for Windows, Macintosh and UNIX, along with Adobe Acrobat 9.3.3 and earlier versions for Windows and Macintosh.

Adobe was considering releasing the fix during its normal quarterly cycle in October, but decided otherwise, even though there are no reported exploits.

Additionally, six Flash Player vulnerabilities, listed as "critical," were fixed in the code included Reader and Acrobat updates. The vulnerabilities, which were fixed in Flash Player itself last week, could be exploited by an attacker to crash the multimedia application or take control of a user's system.

Reader and Acrobat ship with Flash Player code, so typically when there is an update to Flash, Adobe needs to make the same updates to the code in Reader and Acrobat, a company spokeswoman told SCMagazineUS.com in an email.

Flash Player is not affected by vulnerabilities in Reader and Acrobat. Only Reader and Acrobat are affected by certain vulnerabilities in Flash Player, the spokeswoman said.

Adobe is scheduled to release the next quarterly security updates for Reader and Acrobat on October 12.

See original article on scmagazineus.com