Adobe Reader, Acrobat Update Patches Critical PDF Flaw

Adobe silently issued an unscheduled update to Reader and Acrobat on Tuesday, addressing a slew of security bugs in its PDF application that leave the platform open to malicious attacks.

Adobe released the latest update, Reader 9.4.1 and Acrobat 9.4.1 in Windows and Mac OS X platforms, repairing a critical flaw in the way its PDF files handle Flash components. Adobe Reader 9.4.1 for Unix is expected to be available Nov. 30.

The update follows a day after researchers at Microsoft issued a security advisory Tuesday warning users that sample code is on the loose again exploiting the critical Adobe Flash vulnerability.

The attack, which has been used by hackers to exploit Reader and Acrobat in the past, is distributed via an infected PDF file containing multiple malicious components. The vulnerability opens the door for malicious hackers to execute arbitrary code remotely or launch denial of service attacks on victims' computers by sending infected PDFs to victims, and enticing them to open the files with some kind of social engineering trickery.

Users download malicious code onto their systems once they open the infected PDF, causing a memory corruption error and application crash or enabling hackers to take control of their entire system.

The vulnerability also affects Adobe Flash Player prior to version 9.0.289.0 and version 10 prior to 10.1.102.64 on Windows, Mac OS X, Linux and Solaris, and version 10.1.95.1 on Android. However, thus far there are no known in-the-wild exploits affecting Flash Player.

As usual, Adobe urged users to immediately install the update, issued just weeks after the company released its fall quarterly patch. The next scheduled update is slated for February 8, 2011.

Meanwhile, Adobe also released Acrobat X (pronounced 10) Monday, which now incorporates the company's touted Protected Mode, containing sandboxing technology, a security mechanism that will add an additional layer of defense by containing malicious code embedded in PDF files within the Adobe Reader sandbox and ostensibly preventing hackers from accessing elevated privileges on the user's system.

However, some security experts contend that with Reader X in its infancy, the addition of complex features -- such as sandboxing -- could also introduce new security complications and unearth new glitches.

"Adding yet more complexity -- albeit in the name of security -- to already very complex, multimillion line applications may introduce yet more flaws," said Paul Ducklin, Sophos head of technology for the Asia Pacific region, in a blog post Tuesday.

Adobe Reader X is slated for release toward the end of the month.

Next: Adobe Warns Of Phishing Scams Exploiting Acrobat X

In light of the upgrade, Adobe issued an advisory Tuesday warning users of phishing scams that use the Acrobat X upgrade to entice users to submit personally identifying information and credit card details.

"Be cautious when receiving e-mail messages purporting to offer a download of a new version of Adobe Acrobat or Adobe Reader sent by entities claiming to be Adobe," the advisory warned. "Many of these e-mails have not been sent by Adobe or on Adobe's behalf."

Adobe reminded users that the Acrobat X upgrade is a free offering, which can be accessed directly from the Adobe download page.