Google Researchers Expose Unpatched Flaws in Adobe Reader

Two Google security researchers have accused Adobe of failing to fix various reported vulnerabilities in Adobe Reader in a timely manner and are using the delay as justification to publicize details behind the security holes. The duo also has recommended that users avoid Reader until Adobe rolls out patches.

Googlers Mateusz Jurczyk and Gynvael Coldwind have asserted that back in June, they reported 46 reproducible crashes in Reader to Adobe. Earlier this week, Adobe released new versions of Reader for Windows and Mac OS X that addressed only 25 of the reported critical crashes. The Linux version received no updates. In keeping with Google's vulnerability disclosure policy, the duo has made public some details about the remaining vulnerabilities.

Specifically, Jurczyk and Coldwind published the stack traces of all 16 crashes affecting Windows and OS X. They did opt to obfuscate the call stacks, hiding the 20 least-significant address bits, as well as other information that could be exploited by a malicious hacker.

Google's policy is to give vendors 60 days to fix bugs before sharing them with the public -- a fact that gained particular notoriety back in 2010 when Google researcher Tavis Ormandy published attack code for a bug in Windows XP's Help and Support Center.

According to Jurczyk and Coldwind, Adobe plans to fix the outstanding reported bugs and issue an update for the Linux version of Reader in an upcoming release, but that release won't come quickly enough for Jurczyk and Coldwind's liking. "Adobe has confirmed they have no plans to issue additional out-of-band updates before August 27, which is 60 days after we disclosed all bugs," according to their post.

"Though we have no evidence these bugs are being exploited today, we are concerned that functional exploits can be built without much effort based on knowledge derived from binary diffing of the old and newly patched Windows builds," they wrote. "Since the Linux Reader version remains unpatched and the Windows/OS X patches are now available for diffing and reverse engineering, we have decided that it's in the best interest of users to be aware of these security issues without additional delay."

In terms of mitigations and work-arounds, Jurczyk and Coldwind advised that users of Reader for Linux remove the Annots.api and PPKLite.api plug-ins. Beyond that, they said there are currently no known work-arounds for the remained unpatched vulnerabilities. Their advice: Limit use of Adobe Reader, do not open externally received PDF files, and disable the Adobe Reader browser extension for now.

They also recommended that Windows users upgrade from Reader 9.x to Reader X, "which provides a sandbox feature, making it more difficult (although not impossible) to exploit these vulnerabilities. Unfortunately, the sandbox feature is not available for the newest versions of Adobe Reader for OS X or Linux."

This story, "Google researchers expose unpatched flaws in Adobe Reader," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

Subscribe to the Security Watch Newsletter

Comments