Maximum PC Adobe Reader RSS Feed

Adobe Releases 29 Security Patches for Acrobat and Reader

Ryan Whitwam — Tue, 13 Oct 2009 19:02:36 -0500

Security flaws in Adobe reader and Acrobat are nothing new, but in a recent round of updates, Adobe has patched 29 vulnerabilities at once. The updates also included a new software updater that should, once activated, deliver patches in a more effective way.

This will be a welcome change for anyone that’s had to use the current updater. It only checks for updates to Adobe software weekly, and given the frequency of exploits in their products, it isn’t enough. Some updates would even mysteriously vanish from the updater, leaving users vulnerable. This should all change with the new version.

The other vulnerabilities addressed in the set of patches revolved mostly around remote code execution attacks. One of which was already in use around the internet. Adobe warned Mac and Unix users that the same vulnerabilities exist on their platforms as well. The internet is a dangerous place.

A Patch Tuesday "Two-Fer" Secures Both Microsoft and Adobe Programs

Mark Edward Soper — Thu, 11 Jun 2009 19:11:41 -0500

June 9th saw a rare 'double-header' in security updates: Microsoft's monthly Patch Tuesday was joined by Adobe's quarterly security updates for Acrobat and Adobe Reader. How big was this month's 10-update Patch Tuesday? According to a Microsoft spokesperson quoted by Cnet, the 31 vulnerabilities covered by updates are "the most since Microsoft started releasing updates on a regular schedule of the second Tuesday of every month in October 2003."

Here's what Microsoft patched this week:

Critical remote code execution vulnerabilities in Active Directory on Windows 2000 Server, Windows Server 2003, and ADAM on Windows Server 2003 and Windows XP Professional (MS09-018)

Critical to Moderate remote code execution vulnerabilities in Windows Print Spooler in Windows 2000 SP4, Windows XP SP2/SP3 and x64, Windows Server 2003 SP2 and x64 SP2, Windows Vista RTM/SP1/SP2 and x64 and Windows Server 2008 RTM/SP2 (MS09-022).

Critical to Moderate remote code execution vulnerabilities in IE5.01, IE6, IE 6SP1, IE7, and IE8. Note that IE8 in Windows 7 RC is not included (MS09-019).

Critical to Important remote code execution vulnerabilities in Microsoft Office Word 2000, 2002 (XP), 2003, and 2007 for Windows; 2004 and 2008 for Mac, Open XML converter for Mac; Microsoft Office Word Viewers and Compatibility Packs for 2007 file formats SP1 and SP2 (MS09-027).

Critical to Important remote code execution vulnerabilities in Microsoft Office Excel 2000, 2002 (XP), 2003, and 2007 for Windows; 2004 and 2008 for Mac, Open XML converter for Mac; Microsoft Office Excel Viewers and Compatibility Packs for 2007 file formats SP1 and SP2 (MS09-021).

Critical to important remote code execution vulnerabilities for Microsoft Works 8.5, 9 and Office 2000 SP3, Office XP SP3, Office 2003 SP3, and Office 2007 SP1 (MS09-024).

Important elevation of privilege vulnerabilities in the RPC function in Windows 2000 SP4, Windows XP SP2/SP3 and x64, Windows Server 2003 SP2 and x64 SP2, Windows Vista RTM/SP1/SP2 and x64 and Windows Server 2008 RTM/SP2 (MS09-026).

Important elevation of privilege vulnerabilities in Windows Kernel in Windows 2000 SP4, Windows XP SP2/SP3, Windows Server 2003 SP2 and x64 SP2, Windows Vista RTM/SP1/SP2 and x64 and Windows Server 2008 RTM/SP2 (MS09-025).

Important elevation of privilege vulnerabilities in IIS 5.0, 5.1, and 6.0 when running on Windows 2000 SP4, Windows XP SP2/SP3 and x64 SP2, and Windows Server 2003 SP2 and x64 SP2 (MS09-020).

Moderate information disclosure vulnerabilities in Windows Search 4.0 when running on Windows XP SP2, SP3, x64 SP2; Windows Server 2003 SP2 and x64 SP2 only (MS09-023).

For details about the exploitability rating for each vulnerability (1-3, 1 being the most severe), see the security bulletin summary. To find out about Windows Media Center and other updates, and where to get the Adobe updates, join us on page 2.

Microsoft also rolled out these updates in June:

The June 2009 version of the Windows Malicious Software Removal Tool (KB890830)
The June 2009 update for the Windows Mail Junk email filter (KB905866)
Cumulative updates for Windows Media Center for Windows Vista (KB967632) and Windows Media Center TV Pack for Windows Vista (KB966315)
An update to the ActiveX kill bits security pack (KB969898).

Adobe was also busy sticking its fingers in the security dike this month, rolling out critical security update APSB09-07 with updates for Adobe Reader and Acrobat 9.x, 8.x, and 7.x. Vulnerabilities patched by the updates include stack overflow, integer overflow, memory corruption and heap overflow, all of which could be used to trigger arbitrary code execution.

Stay safe out there!

Adobe Patches Zero-Day Vulnerability

Justin Kerr — Sun, 15 Mar 2009 12:59:32 -0500

If you haven’t done so already, make sure your Adobe reader has checked for, and downloaded the latest updates. Adobe has finally released a patch for the zero day scripting vulnerability in its PDF software. The patch for version 9 hit the net a bit earlier than expected, but not a moment too soon to combat this now critically exploited weakness which has been in the wild now since December 2008. The patches for Version 7 & 8 are still planned for March 18th and users of this version would be advised to either upgrade to 9.1 or consider Foxit Reader.

The news was posted by Adobe blogger David Lenoe. "Today, we posted the Adobe Reader 9.1 and Acrobat 9.1 update, which resolves the recent JBIG2 security issue (CVE-2009-0658), including the 'no-click' variant of the vulnerability." "We encourage all Adobe Reader users to download and install the free Adobe Reader 9.1."

For those that haven’t been following the details of the exploit, the vulnerability is a result of an array indexing error in the processing of JBIG2 streams. Hackers have found a way to corrupt arbitrary memory using the PDF format and take control of compromised systems. The lesson learned here if we didn’t know it already, don’t take candy, or PDF’s from strangers.

New Adobe Reader Exploit Reminds us why we Love Foxit

Justin Kerr — Sun, 22 Feb 2009 18:41:26 -0600

Adobe’s PDF reader and creator software continues to be under a seemingly endless attack, and a new vulnerability has the security community very worried. A critical flaw in all editions of its PDF reader and creator software will allow attackers to crash the application and gain control of a person’s computer. This vulnerability has been acknowledged by Adobe, but a fix is still rumored to be 2-3 week away. Initially the company will be working to patch version 9, but will eventually include fixes for version’s 7 & 8 as well.

According to the McAfee security blog, malicious PDF documents are already in the wild, and have been appearing across the web since early January. PDF exploits are of significant concern to the security community since the reader software interfaces very closely with web browsers. In many cases PDF documents are opened within a new browser tab, and displayed even with a user’s consent. According to Symantec this attack has primarily been directed towards government agencies and large corporations, it is not widespread as of yet.

Symantec also offers some tips on how to combat the problem by disabling JavaScript, but here at Maximum PC we much prefer just using Foxit Reader as an alternative. This lightweight solution weighs in at only 3 MB and (to the best of our knowledge) is unaffected by the exploit. It’s so good in fact, it made our list of 32 Totally Essential (and free) Apps for Every New PC.

Acrobat 9 Release Represents Good News, Bad News for Adobe PDF Users

Mark Edward Soper — Thu, 26 Jun 2008 15:54:34 -0500

Hooray! Acrobat 9 Ships

UK's The Register reports that Adobe Acrobat 9 was released Wednesday. As with other recent versions, the new Acrobat release is available in three versions, Standard, Pro, and Extended.

What's New in Acrobat 9 Standard

Acrobat 9 Standard ($299 full, $99 upgrade from Acrobat 6.x, 7.x, or 8.x) includes these new features:

Easy fillable-form creation, form fill-in, and form tracking
Software launches in half the time of Acrobat 8 (a much-needed improvement in my view)
Include Adobe Flash-based audio and video inside PDF documents (can we expect more exciting e-Books now? I hope so!)
Better OCR and scanner support to make it easier to turn paper into editable text
Convert web pages, including pages with rich and interactive media, into PDF files
Search multiple PDF files in the same folder
Works with Acrobat.com website

For most users, though, Acrobat Standard just doesn't have enough goodies to justify the price. To find out why Acrobat Pro 9 will hit more users' "sweet spot," read page 2.

Kick It Up a Notch with Acrobat 9 Pro

Acrobat Pro ($449 full, $159 upgrade) adds the following new features to those in Acrobat 9 Standard:

Support for PDF Portfolios, which can contain drawings, documents, emails and spreadsheets that can be configured with a template for easy "touring" of the contents
Synchronized document views and document comparison
PDF Standards pane helps assure that your document meets the requirements for new PDF/A (archiving), PDF/X (professional printing), or PDF/E (engineering documents; link opens PDF file) standards
Improved print workflows and previews for document designers and prepress specialists

Having It All with Acrobat 9 Pro Extended

Acrobat 9 Pro Extended ($699 full, $299 upgrade) adds the following features to Acrobat 9 Pro and Standard's feature lists:

Add 3D and maps to a PDF Portfolio
Convert popular video formats to Flash for use in a PDF file
Includes Adobe Presenter software for interactive presentations
Includes Adobe 3D Reviewer to combine multiple CAD drawings
Supports interactive, geospatially enabled PDF maps

Windows Users, Try It Free!

Acrobat 9 has the potential to make the PDF file format go way beyond the "it's just like a book only on your screen" limitations of the past. Whether you work (or play) as a graphic or document designer, you'll want to give it a try. 30-day trial versions (for Windows only, at this point) are available here.

And Now for the Bad News - Reader 9's Not Ready Yet

Want to show off that way-cool video-loaded interactive document you cranked out with a trial of Acrobat 9? Drag along your laptop - at least until Reader 9 hits the street. "Early July" is the word on Reader 9 availability, so you have time to polish your tribute to gaming, your favorite band, or maybe something more substantial. See the Acrobat Pro Extended demo for a taste of the future of PDF.

JavaScript Vulnerability Gives a Whole New Meaning to "Get Adobe Reader"

Mark Edward Soper — Thu, 26 Jun 2008 14:27:24 -0500

Bad, JavaScript, Bad! Malformed JS Can Attack Acrobat, Reader

On the one hand, JavaScript helps make the web a more enjoyable and useful place, improving website interactivity and features. On the other hand, JavaScript can put a big bullseye on your system, targeting it for trouble.

A JavaScript vulnerability in Adobe Acrobat and Reader 7.x and 8.x can enable an attacker to take over your system. As the Vnunet website reports it:

The vulnerability could allow an attacker to gain control of the user's system by way of malformed JavaScript code.

When exploited, the vulnerability leads to an application crash which leaves the user liable to remote control of the system and code execution from the attacker.

Such remote code execution flaws are a favourite method for covertly installing malware and are often regarded as the highest risks among software vulnerabilities.

Windows, Move Over - MacOs Also Needs Updates

This vulnerability is cross-platform: this time, MacOS and Windows users alike need to update their installations.

Choose Your Update - Stat!

Find the updates you need for either platform, and get the whole story by reading Adobe Security Bulletin APSB08-15.

Got Adobe Acrobat or Reader 8.1? The "Fix" Is In

Mark 'Marcus Soperus' Soper — Mon, 22 Oct 2007 22:55:31 -0500

Acrobat & Reader 8.1 Users - Adobe to the Rescue!

Earlier this month, we told you that the combination of Adobe Reader or Acrobat with Windows XP and Internet Explorer 7 left users facing a major vulnerability: the "mailto" URI used in web pages and PDF files could be used to download and install malware.

Adobe promised they'd have updates to fix the problem by month-end, and they've outdone themselves: they rolled out a security bulletin today with updates to Adobe Reader 8.1 and Adobe Acrobat 8.1. Reader and Acrobat 8.1 become 8.1.1 after patching.

Acrobat & Reader 7.x Users - Still on the Waiting List

You know how software vendors are always telling you to 'update to the lastest version?' Sometimes, there's a good reason, like being first in line for updates for a security problem. Although lots of PCs still use Acrobat and Reader 7.x, Adobe rolled out the patches for Acrobat and Reader 8.1 first. Are Acrobat 7.x users out of luck? Nope. Adobe says it will roll out updates for Acrobat and Reader 7.x users "at a later date." If for some reason you're still using Acrobat or Reader 6.x or earlier - Fuhgeddaboutit! No patches for you.

Can't Wait for 7.x Updates? Disable Mailto: Now!

If you can't run Acrobat or Reader 8.1, follow the workaround provided in both the original and the new security bulletins to disable the Mailto: URI for Acrobat and Reader.

Didn't Ask for That PDF File? Watch Out!

Mark 'Marcus Soperus' Soper — Fri, 12 Oct 2007 07:57:20 -0500

PDF files can be as rich in interactivity as web pages. For example, a well-designed PDF ebook allows you to click from the table of contents to the page you want, or it can be used to open a website. Unfortunately, interactivity has a price: it can also be used to attack your system.

"Mailto:" Can Receive Too: How About Some Malware?

A "Mailto:" link in a PDF page is supposed to launch your system's default email client, but UK-based Web vulnerability expert Petko Petkov, who blogs at gnucitizen.org as 'PDP', recently discovered a big flaw in the combination of Abobe Acrobat or Adobe Reader (8.1 and all earlier versions) and Internet Explorer 7 on Windows XP. With this combination, a "Mailto: link can actually be used to download and install malware. According to Petkov, you don't even need to click on a Mailto: link in an affected document to be infected.

PDF Vulnerability Hits a Popular Combination

How big a deal is this? Think about how often you open a PDF file from the web or in email: for some of us, it's probably several times a day. Combine that with the widespread use of IE7 on Windows XP (this time, Windows Vista users ducked the bullet), and it's a very big, very bad deal for PC users in home and at the office.

Most of us don't think about PDF being anything other than a convenient way to send images or documents, but this vulnerability reminds us that any file format with interactive features is a two-edged sword.

Adobe's Response - Registry Edit Now, Patch Coming Soon

Adobe has rolled out a two-stage response to this vulnerability. Right now, the company is recommending a change to the Registry to disable Mailto:. The Adobe advisory specifically details changes only only for Windows XP systems running Acrobat and Reader versions 8.1, although all previous versions are also affected. Adobe expects to have patches available by the end of October.

The Blame Game, Again - But Microsoft Fesses Up

Whose fault is this particular vulnerability? Abobe's? Microsoft's? After some initial fingerpointing, Microsoft has now admitted that IE7 in both Windows XP and Windows Server 2003 has a problem handling threats concealed in URLs and URIs such as "mailto:" A security update is coming, but isn't available yet. Keep your eye on Knowledge Base article 943521 for updates.

It's interesting that the problem is not IE7 per se, but the combination of IE7 with Windows XP or Windows Server 2003. It's clear that something went wrong when IE7 was ported from Windows Vista to Windows XP/Server 2003 (if you're still using IE 6, you're safe from this threat).

Your Response

If you're accustomed to mindlessly opening PDF files whatever their source, stop and think. If you get an unsolicited PDF in your email, or you're asked to click a link in a PDF or open an attachment by an unfamiliar source - don't do it. If you use IE7 with Windows XP and either Adobe product, make the registry change - today. Grab the Abobe and Microsoft IE 7 patches as soon as they're posted. And, as always, think before you click.