If you have been following the Adobe Reader and Adobe Acrobat is plagued by a critical, publicly exploited vulnerability story, here’s eh update: Adobe has finally announced when it plans to release a fix for the vulnerability. A fix will be released during the week of October 4, 2010, said Adobe, the California-based company that specializes in creating multimedia and creativity software products.
If you haven’t been following this story, here’s the lowdown. Last week Adobe announced that Adobe Reader 9.3.4 and earlier versions for Windows, Mac and UNIX, as well as Adobe Acrobat 9.3.4 and earlier versions for Windows and Mac, are plagued by a critical vulnerability. If someone with malicious intent exploited this vulnerability, that person could crash the targeted system and even take control of the targeted system.
SPONSORED LINKS
Adobe posted a security advisory online, but it didn’t offer any specific details about the vulnerability. Luckily enough McAfee’s Xiao Chen offered some details: “This zero-day vulnerability is a typical stack buffer overflow. Although the latest version of Reader has been compiled with stack protection (/GS), the exploit uses an Return Oriented Exploitation (ROP) technique to bypass /GS protection and data execution prevention (DEP),” explained McAfee’s Xiao Chen.
This weekend Adobe updated the security advisory to propose a mitigation for Windows users. Here’s what Adobe said in the advisory:
“Current exploits in the wild target the Windows platform. Customers using Adobe Reader or Acrobat 9.3.4 or earlier on Windows can utilize Microsoft's Enhanced Mitigation Evaluation Toolkit (EMET) to help prevent this vulnerability from being exploited. Note that due to the time-sensitive nature of this issue, testing of the functional compatibility of this mitigation has been limited. Therefore, we recommend that you also test the mitigation in your environment to minimize any impact on your workflows.”
Microsoft Security Research & Defense’s Fermin J. Serna and Andrew Roths posted a detailed article on how you can use EMET 2.0 to prevent the exploitation of the Adobe Reader and Adobe Acrobat vulnerability mentioned above.
Today Adobe announced that during the week of October 4 it will issue updates to Adobe Reader and Adobe Acrobat to fix the critical, publicly exploited vulnerability presented above.
Please note that Adobe initially planned to release updates for its products on the 12th of October. Because of the October 4 release, no other updates will be released on October 12. Please also note that during the week of October 4 Adobe will also plug a recently discovered Flash Player 10.1 critical vulnerability that also affects Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh. Additional details about this vulnerability are available in this security advisory .
If you have been following the Adobe Reader and Adobe Acrobat is plagued by a critical, publicly exploited vulnerability story, here’s eh update: Adobe has finally announced when it plans to release a fix for the vulnerability. A fix will be released during the week of October 4, 2010, said Adobe, the California-based company that specializes in creating multimedia and creativity software products.