Bugs and Fixes: Adobe Reader, Acrobat Come Under Fire

Adobe product security took another hit recently when reports surfaced of a zero-day attack against a critical vulnerability in the ubiquitous Adobe Reader.

The flaw affects both Reader and Acrobat on all platforms, and lets an attacker install malware on your PC if you open a malicious PDF file using version 9.2 or earlier of either app. Small-scale, targeted attacks have already occurred in the wild. By the time you read this, Adobe has devised a patch for the problem, as described in a recent security bulletin.

Adobe's Illustrator has another critical flaw that remains to be fixed. Opening a tainted EPS file could trigger an attack if you have Illustrator CS4 version 14.0.0, or Illustrator CS3 version 13.0.3 or earlier, on any operating system. As with the Reader vulnera­bility, Adobe hoped to re­­lease a fix at around the time we went to press. Look for a patch announcement; and for details, see the relevant bulletin from Adobe.

Adobe did release necessary patches for its Flash Player and AIR programs on all platforms. Among the critical flaws that these fixes corrected was a bug in the way the programs handled JPEG images. Adobe has set up a page on its site where you can check your version of Flash; versions 10.0.32.18 and earlier need updating to version 10.0.42.34. AIR versions 1.5.2 and earlier need to bump up to version 1.5.3. Adobe has also posted a bulletin summarizing the situation.

Jumbo Update for IE

Microsoft's latest batch of patches has a cumulative update for all Internet Explorer versions. This bundle includes fixes for last month's zero-day flaw affecting IE 6 and 7. The update (MS09-072) is rated critical for IE 5 on Windows 2000, for IE 6 on Windows XP or Server 2003, and for IE 7 on XP and Vista. It's also required for IE 8 on XP, Vista, and Windows 7; but it's rated only moderate for IE 7 and 8 on Server 2003 and Server 2008.

Next up for Microsoft is MS09-074, a fix for an Office Project flaw that a malicious Project file could trigger. The update is rated critical for Microsoft Project 2000 SP1, and important for 2002 SP1 (part of Office XP) and 2003 SP3. Office 2007 is not affected.

Additional Microsoft Fixes

The final critical Microsoft fix, MS09-071, affects only Windows Server 2008. But you should also pick up a number of less-crucial patches. One of them (MS09-073) fixes a bug in WordPad and in Office Text Converters that a maliciously crafted Word 97 file could exploit. Another update (MS09-069) prevents a specially created Internet Security Association and Key Management Protocol message from crashing Windows 2000, XP, or Server 2003. To obtain all of the new patches, fire up Windows Update; for an overview of the whole batch, see Microsoft's security bulletin summary.

Media Fixes for Firefox

Firefox users can wrap up their monthly patches by making sure the browser is updated to version 3.5.6, or to 3.0.16 if you haven't yet upgraded. Both updates fix various crash bugs that might allow an intruder to install malware and run attack commands. The 3.5.6 update shores up two other critical security holes: one in the libtheora video library that could be hit with a malicious video file, and the other in the liboggplay media library. Choose Help, Check for Updates to make sure you have the latest version.

Subscribe to the Security Watch Newsletter

Comments