Adobe Rolls Out 29 Security Fixes For Reader, Acrobat

patch PDF

Tuesday's update was rolled out in the latest versions of Adobe Reader and Acrobat, which apply to all Windows, Mac and Unix systems.

Adobe released a security advisory Friday warning users about active attacks exploiting critical flaws in Adobe Reader and Acrobat that could cause the applications to crash and enable remote attackers to infiltrate users' computers and launch information-stealing malware.

Adobe maintained that active exploits were only limited to "targeted attacks" aimed at Reader and Acrobat on Windows, however Tuesday's patch addressed critical errors on Reader and Acrobat applications for Mac OS X and Unix that also enabled attackers to execute malicious code remotely.

As of Tuesday, the latest Adobe Reader and Acrobat versions 9.2 and 8.1.7 also shipped with a new beta updater technology, available to a limited number of users participating in a beta testing program.

Sponsored post

Adobe said that the new updater was part of a concerted effort to make the security update process more efficient and accessible to users.

"The purpose of the new updater, once it is active, is to keep end users up-to-date in a much more streamlined and automated way," said Steve Gottwals in a company blog post. "As beta testing progresses, we will continue to communicate pertinent details with you about the new updater."

Updates for Reader and Acrobat incorporate changes that give IT administrators and end users increased control over how and when they block JavaScript functions, Adobe said. In the past, users who disabled JavaScript would be alerted by a dialog box that offered them other options. Now, when JavaScript is disabled, users are alerted and presented alternatives by the gold bar, which runs across the document in the application chrome.

"Our research has shown that this is a much friendlier and more effective way to interact with end users on security matters," Gottwals said.

Adobe has routinely issued security advisories recommending that Reader and Acrobat users prevent attacks that exploit security vulnerabilities in JavaScript applications by disabling the JavaScript function altogether.

In addition, Adobe launched Adobe Reader and Acrobat JavaScript Blacklist Framework, which gives users the ability to block certain attacks targeting specific JavaScript API calls by adding the API calls to the "blacklist" and subsequently preventing them from executing. The enhancements also give executives and IT administrators the ability to block specific JavaScript API calls and keep their end users from overriding that decision.

This quarter marks the second regularly scheduled security update for both Reader and Acrobat. Similar to Microsoft's "Patch Tuesday" release, Adobe initiated a process to create security updates on a regularly scheduled quarterly basis.