Adobe Releases Critical but Delayed Reader and Acrobat Patches

Adobe has finally patched bugs in its popular Reader and Acrobat software a week after they were scheduled, addressing eight “priority rating 1” vulnerabilities which could allow hackers to take over an infected system.

Priority 1 is the equivalent of a “critical” flaw, according to Adobe’s rating system.

The vulnerabilities in question affect Adobe Reader X and Reader XI, as well as Acrobat X and Acrobat XI.

The issues addressed in this patch bundle include a use-after-free vulnerability that could lead to code execution (CVE-2014-0560); a universal cross-site scripting (UXSS) vulnerability (CVE-2014-0562); and a denial of service flaw related to memory corruption (CVE-2014-0563).

Also covered are updates resolve a heap overflow vulnerability that could lead to code execution (CVE-2014-0561, CVE-2014-0567); memory corruption vulnerabilities that could lead to code execution (CVE-2014-0565, CVE-2014-0566); and a sandbox bypass vulnerability that could be exploited to run native code with escalated privileges on Windows (CVE-2014-0568).

“The patches address all eight vulnerabilities per operating system, so they are each described as priority 1, top patching concerns,” explained Ross Barrett, senior manager of security engineering at Rapid7.

“Though these are all high priority issues, the disclosure list suggests that they are not active in the wild, but given the nature of the disclosure, exploit or proof of concept code will likely become available in the near future.”

The patches were delayed from a week ago to give Adobe more time to iron out “issues identified during routine regression testing,” the firm explained.

However, there was still enough to keep system admins busy last Tuesday, with the release of four security bulletins fixing a total of 42 vulnerabilities, and a critical patch for Flash.

Qualys CTO Wolfgang Kandek urged IT teams to address critical bulletin MS14-052 first as it relates to 37 of the fixes.

“The bulletin fixes zero day vulnerability CVE-2013-7331, which can be used to leak information about the targeted machine. CVE-2013-7331 allows attackers to determine remotely through a webpage the existence of local pathnames, UNC share pathnames, intranet hostnames, and intranet IP addresses by examining error codes,” he explained.

“This capability has been used in the wild by malware to check if anti-malware products or Microsoft’s Enhanced Mitigation Toolkit (EMET) is installed on the target system and allows the malware to adapt its exploitation strategy.”

The APS14-21 patch for Flash should come next as it fixes a remote code execution flaw which could be exploited through a malicious web page with “secondary vectors through Microsoft Office documents.”

What’s Hot on Infosecurity Magazine?