Adobe 'Critical' Security Update Removes Fraudulent DigiNotar Certificates

Specifically, the Adobe security update repaired critical flaws in Adobe Reader 10.1 and earlier versions for Windows and Mac OS X, as well as Adobe Reader 9.4.2 and earlier versions for UNIX and Adobe Acrobat X and earlier versions for Windows and Mac OS X.

If exploited, the critical Adobe Reader and Acrobat flaws could enable hackers to execute malicious code that could give them the ability to take complete control of a user’s computer, or cause the entire system to crash. The attacks would be launched through infected PDF document, and delivered via some kind of social engineering scheme.

Adobe’s next scheduled patch release will be Dec. 13.

Meanwhile Adobe underscored Wednesday that the Adobe Approved Trust List (AATL) had been updated in Tuesday’s patch to remove fraudulent DigiNotar SSL certificates , which included protections for Adobe Reader and Acrobat X users.

Adobe said that a future update of Adobe Reader and Acrobat version 9.x will enable dynamic updates of the AAT. Until then, users can manually remove the DigiNotar certificates by following instructions provided on the Adobe web site.

“Adobe takes the security and trust of our users very seriously,” Adobe said in a blog post last week. “While Adobe is not aware of any evidence at this time of rogue certificates being issued directly from the DigiNotar Qualified CA root in particular, an official report by Dutch security consultancy Fox-IT stated that there is evidence of the hacker having access to this CAR, thus possibly compromising its security.”

Adobe, like major vendors Google, Microsoft and Mozilla, was forced to blacklist numerous DigiNotar SSL certificates after the Dutch certificate authority was hacked over the summer, compromising more than 500 domains.

Certification authorities, or CAs, such as DigiNotar, digitally sign web pages, which provides a trusted symbol authenticating online property protected by secure socket layer, or SSL.

Attackers who compromised DigiNotar SSL certificates could then impersonate the affected domains, enabling them to take control over all entered user content in order to execute spoofing and man-in-the-middle attacks.

Adobe said it was in discussions with the Dutch government about the status of the compromised DigiNotar certificates, and said that it would be “proactively implementing a number of changes to the policies, terms and technical requirements” for its AATL program following the DigiNotar breach. The changes would be rolled out over the next several weeks, Adobe said.