Adobe Fixes Multiple Flaws

Adobe issued a patch
this week that helps prevent multiple flaws found in its products.

The fixes clear up problems in Windows and Macintosh systems running
Adobe Reader and Acrobat Pro versions 6.0.0 through 6.0.2. The
vulnerabilities were found in the products’ embedded Flash, eBooks and
PNG libraries.

The Web publishing software firm also issued
a separate patch that clears up the same problems found in the Unix 5.0.10 version of the platforms.

Adobe Spokesman John Cristofano told internetnews.com no
current malicious exploits of the vulnerabilities have been reported.

The San Jose, Calif.-based company posted the fixes after various
“highly critical” reports from Secunia and iDEFENSE
advised that the holes could allow hackers to disclose
sensitive information or compromise a user’s system.

Greg MacManus, at Reston, Va.-based iDEFENSE Labs who found the flaws
first back in October, said a remote exploitation of a buffer overflow
in version 5.09 of Adobe Acrobat Reader for Unix could allow for
execution of arbitrary code.

“The vulnerability specifically exists in the function
mailListIsPdf(). This function checks if the input file is an e-mail
message containing a PDF. It unsafely copies user-supplied data using
strcat into a fixed sized buffer,” iDEFENSE said in its alert.

In the other cases, a format string error within the eBook plug-in
when parsing “.etd” files could be exploited to execute arbitrary code
via a specially crafted eBook containing format specifiers in the
“title” and “baseurl” fields, Secunia said in its advisory.

Similarly, malicious people to compromise a vulnerable system could
exploit the multiple vulnerabilities in “libpng” and an error within the
handling of Flash files embedded in PDF documents could be exploited to
read the content of files on a user’s system.

Adobe said the update requires that the English or Japanese version
of Adobe Reader 6.0.2 is installed. Support for updating all 15 primary
localizations of Adobe Reader will be posted at a later date. Enterprise
and IT administrators may find it more convenient to start with full,
uncompressed versions of Adobe Reader 6.0.2 before applying the update
to version 6.0.3, the company said.

Cristofano said the vulnerabilities would also be covered in the upcoming
Acrobat Professional and Standard version 7.0 software and corresponding Adobe Reader version 7.0.

News Around the Web