Adobe April '10 Patch Tuesday Detailed: 15 Vulnerabilities Fixed
Last week Adobe announced that on Tuesday, the 13th of April, it would release updates for Adobe Reader 9.3.1 as well as Adobe Reader 8.2.1 and Acrobat 8.2.1. The updates are meant to plug critical security holes in Adobe’s products.
As a little side note, Redmond-based software giant Microsoft on Tuesday, the 13th of April, also released updates that plug critical security holes in its products. To be more precise, Microsoft rolled out 11 security bulletins that address a total of 25 vulnerabilities in Microsoft Windows, Microsoft Office, and Microsoft Exchange. Just to put things in perspective, 5 bulletins are rated critical. Additional details on the 11 bulletins Microsoft rolled out are available here.
SPONSORED LINKS
Getting back to Adobe, the California-based company that specializes in creating multimedia and creativity software products, did just what it said it would – it released updates for Windows, Mac and UNIX users. The updates apply to: - Adobe Acrobat 9.3.1 and earlier versions for Windows, Macintosh, and UNIX. - Adobe Reader 8.2.1 and earlier versions. - Adobe Acrobat 8.2.1 and earlier versions for Windows and Macintosh.
The updates, as Adobe explained, address critical vulnerabilities that could crash its products and potentially allow a person with malicious intent to take control of the targeted system. To be more precise, the updates address 15 security vulnerabilities. These 15:
CVE-2010-0190 – cross-site scripting vulnerability that could lead to code execution.
CVE-2010-0191 – prefix protocol handler vulnerability that could lead to code execution.
CVE-2010-0192 – denial of service vulnerability; arbitrary code execution has not been demonstrated, but may be possible.
CVE-2010-0193 – a denial of service vulnerability; arbitrary code execution has not been demonstrated, but may be possible.
CVE-2010-0194 – a memory corruption vulnerability that could lead to code execution.
CVE-2010-0195 – a font handling vulnerability that could lead to code execution.
CVE-2010-0196 – a denial of service vulnerability; arbitrary code execution has not been demonstrated, but may be possible.
CVE-2010-0197 – a memory corruption vulnerability that could lead to code execution.
CVE-2010-0198 – a buffer overflow vulnerability that could lead to code execution.
CVE-2010-0199 – a buffer overflow vulnerability that could lead to code execution.
CVE-2010-0201 – a memory corruption vulnerability that could lead to code execution.
CVE-2010-0202 – a buffer overflow vulnerability that could lead to code execution.
CVE-2010-0203 – a buffer overflow vulnerability that could lead to code execution.
CVE-2010-0204 – a memory corruption vulnerability that could lead to code execution.
CVE-2010-1241 – a heap-based overflow vulnerability that could lead to code execution.
“Adobe recommends users of Adobe Reader 9.3.1 and earlier versions for Windows, Macintosh and UNIX update to Adobe Reader 9.3.2. (For Adobe Reader users on Windows and Macintosh, who cannot update to Adobe Reader 9.3.2, Adobe has provided the Adobe Reader 8.2.2 update.) Adobe recommends users of Adobe Acrobat 9.3.1 and earlier versions for Windows and Macintosh update to Adobe Acrobat 9.3.2. Adobe recommends users of Acrobat 8.2.1 and earlier versions for Windows and Macintosh update to Acrobat 8.2.2,” said the company in this bulletin.
The April 2010 Patch Tuesday brings one other important change to Adobe’s products: the new updater, which was shipped back in October and which has been in passive state, will be turned on. Windows users will be able to select one of the follwing update options:
Automatically install updates – updates are downloaded in the background and installed without user intervention.
Automatically download updates but let me choose when to install them – updates are downloaded in the background, the user is then prompted to install them.
Do not download or install updates automatically – the software will not look for updates and will not install them; the user has to manually look for updates and install said updates.
According to numerous studies, silent updaters that require no user interaction are the best way to ensure the latest patches are applied and that the software does not expose the user to security risks.
