Adobe Patches 29 Flaws

Microsoft isn’t the only vendor out with a mega-load of new security patches this week. Adobe has issued a patch update for 29 security vulnerabilities affecting its Adobe Reader and Acrobat PDF applications.

The patches cover a range of issues and include a fix for a zero-day vulnerability that has been exploited in the wild since last week.

The affected software versions for Adobe’s (NASDAQ: ADBE) update include Adobe Reader and Acrobat 9.1.3, 8.16 and 7.13.

“These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system,” Adobe said in its advisory.

The actual vulnerabilities themselves represent a catchall of modern application security issues. Among them are multiple memory and heap buffer overflow conditions that could lead to arbitrary code execution.

Input validation flaws are also plentiful in the update with at least six patches.

Adobe’s PDF applications can run as standalone applications as well as in multiple browsers on multiple operating systems. While many of the flaws apply to all supported operating systems and browsers, there are a few that are specific to certain browsers.

A pair of updates resolves cross-site scripting issues for the PDF browser plugin used with Google Chrome and Opera browsers. There is also a fix specific to Mozilla Firefox for a remote exploitation issue.

Regardless of the browser or the operating system used, security experts are advising all Adobe PDF users to update for their own safety.

“All users of Adobe Reader or Acrobat will need to update their software with today’s release because these updates include fixes for the most critical kind of bugs,” Andrew Storms, director of security at network security vendor nCircle, said in an e-mail to “Several of these could let an attacker take remote control of a user’s computer.”

While Adobe’s patch haul is only slightly less than Microsoft’s massive update on Tuesday — which addressed 34 bugs — Storms noted that there is a big difference between the two sets of updates.

“Microsoft issued 34 bug fixes, but they were spread over 12 different products,” Storms said. “On the other hand, Adobe fixed nearly 30 bugs in just two products. Every security team is hoping that future quarterly security releases from Adobe will not be this massive.”

Adobe began offering its own Patch Tuesday updates earlier this year.

This week’s patch is only the second such Adobe Patch Tuesday release, though Adobe has been forced to released out-of-cycle updates. In July, Adobe patched both its PDF technologies as well as Flash for a set of zero-day vulnerabilities.

News Around the Web