Adobe Unveils Another Set of Critical Patches

For the second time this week, Adobe Systems has released a set of critical vulnerability patches.

An Adobe (NASDAQ: ADBE) spokesperson told that the vendor released six critical patches for Flash Player 9 on Thursday and eight patches for five-month-old vulnerabilities in Adobe Reader and Acrobat 8.1.3 on Tuesday.

Vulnerabilities in Adobe applications are particularly dangerous because they are widely used on the Web, Chris Wysopal, chief technology officer at application security analysis vendor Veracode told

Enterprises, which are slow to upgrade, will be hardest hit by these bugs, which target older versions of the Adobe applications, Wysopal said.

The latest versions of Adobe Reader and Acrobat are Version 9; and Adobe released Flash Player 10 in October.

The vulnerabilities in Adobe’s applications are all JavaScript bugs. Wysopal said that any application that interprets JavaScript, which Adobe applications do, has a lot of vulnerabilities.

JavaScript has a global object that experts say is the root cause of cross site scripting attacks. Together with SQL injection attacks, it comprises about 60 percent of all Web site attacks.

Other applications, such as browsers, also have JavaScript vulnerabilities, but Adobe is coming under attack because it is a convenient target. Wysopal said hackers are turning their attention to applications from Adobe and other vendors using JavaScript because their traditional targets, browsers, have been hardened over the years.

“The vulnerabilities have always been there, it’s just that hackers are now starting to scrutinize other client applications that interpret JavaScript and they’re finding them,” he added.

The popularity of Adobe’s applications make it an even more desirable target. “Flash could be the most popular software in the world because it’s a multiplatform application, and attackers go for large populations so they can hit the most machines,” Wysopal said.

News Around the Web