RealTime IT News

Adobe Fixes Multiple Flaws

Adobe issued a patch this week that helps prevent multiple flaws found in its products.

The fixes clear up problems in Windows and Macintosh systems running Adobe Reader and Acrobat Pro versions 6.0.0 through 6.0.2. The vulnerabilities were found in the products' embedded Flash, eBooks and PNG libraries.

The Web publishing software firm also issued a separate patch that clears up the same problems found in the Unix 5.0.10 version of the platforms.

Adobe Spokesman John Cristofano told internetnews.com no current malicious exploits of the vulnerabilities have been reported.

The San Jose, Calif.-based company posted the fixes after various "highly critical" reports from Secunia and iDEFENSE advised that the holes could allow hackers to disclose sensitive information or compromise a user's system.

Greg MacManus, at Reston, Va.-based iDEFENSE Labs who found the flaws first back in October, said a remote exploitation of a buffer overflow in version 5.09 of Adobe Acrobat Reader for Unix could allow for execution of arbitrary code.

"The vulnerability specifically exists in the function mailListIsPdf(). This function checks if the input file is an e-mail message containing a PDF. It unsafely copies user-supplied data using strcat into a fixed sized buffer," iDEFENSE said in its alert.

In the other cases, a format string error within the eBook plug-in when parsing ".etd" files could be exploited to execute arbitrary code via a specially crafted eBook containing format specifiers in the "title" and "baseurl" fields, Secunia said in its advisory.

Similarly, malicious people to compromise a vulnerable system could exploit the multiple vulnerabilities in "libpng" and an error within the handling of Flash files embedded in PDF documents could be exploited to read the content of files on a user's system.

Adobe said the update requires that the English or Japanese version of Adobe Reader 6.0.2 is installed. Support for updating all 15 primary localizations of Adobe Reader will be posted at a later date. Enterprise and IT administrators may find it more convenient to start with full, uncompressed versions of Adobe Reader 6.0.2 before applying the update to version 6.0.3, the company said.

Cristofano said the vulnerabilities would also be covered in the upcoming Acrobat Professional and Standard version 7.0 software and corresponding Adobe Reader version 7.0.