Adobe Dealing With Surge Of Vulnerabilities
Six vulnerabilities affecting Adobe's popular Reader and Acrobat products have been discovered in the past two weeks, one of which could be used in cross-site scripting (XSS) attacks, and a group of vulnerabilities that attackers could exploit by creating rigged PDF files and getting unsuspecting users to open them.
The second group of flaws is more dangerous because remote attackers could use them to execute malicious code and take over affected machines, Adobe said in a Tuesday advisory, which noted that a malicious file would have to be loaded in Adobe Reader by the end user.
Adobe assigned its highest threat rating of 'critical' -- 4 on a 4-point scale -- to the vulnerabilities. Symantec Deepsight rated the severity of the flaws as 8.3 on a 10 point scale, while Secunia said they were 'highly critical', or 4 on a 5-point scale.
Adobe credited Polish security researcher Piotr Bania for reporting a heap memory overflow vulnerability.
Craig Schmugar, a threat researcher with McAfee's Avert Labs, says the spate of Adobe vulnerabilities is part of an ongoing shift by hackers away from operating system-focused bugs and towards application flaws.
Widely deployed, cross-platform applications are especially attractive to attackers, which means other Adobe products such as Flash and Shockwave could also be targeted, according to Schmugar.
The San Jose, Calif.-based vendor also fixed the XSS vulnerability that came to light last week that could allow hackers to launch attacks by adding malicious Javascript to PDF file Web links. Adobe assigned a rating of 'important', or 3 on a 4-point scale, to this flaw.
Adobe also issued server-side workarounds for the XSS vulnerability and patched an information disclosure vulnerability in Adobe ColdFusion, an application server and software development framework for creating dynamic Web content.
Adobe advised users to update to version 7.0.9 or upgrade to version 8.0.