Wednesday, August 4, 2010

New Critical Vulnerability in Adobe Reader and Nobody Wants to Know

Via H-Online -

Some things have become so commonplace that nobody even takes much notice of them anymore. Security expert Charlie Miller found this to was the case when presenting a gaping hole in Adobe's Reader product at the Black Hat conference one week ago. After his presentation, Miller said: "Adobe security is so bad that […] not a single person tweeted it. Sad."

Adobe has since confirmed the hole which affects the current version of Adobe Reader for Windows, Mac OS X and Unix and can be exploited to inject arbitrary code into a system and execute it there. Whether older versions are also vulnerable remains unclear. Adobe said they are working on a patch and are currently determining whether the information disclosed by Miller warrants an out-of-schedule update or whether to fix the flaw on the next scheduled patch day. So far, there have been no signs that the hole is being exploited in the wild.


For more information on the new Adobe Reader vulnerability....

This vulnerability should not be confused with the PDF exploit that is being used to jailbreak the iPhone 4. The exploits works by taking advatage of a hole in the Apple's Mobile Safari browser. Then another local privilege esclation vulnerability (in the kernel) is used to faliciate the jailbreak.

Apple iOS Security Bypass and PDF File Processing Vulnerability

However, the PDF used to jailbreak the iPhone was found to cause crashes in Foxit Reader. Foxit reader has since released Foxit Reader v4.1.1.0805 to address the crash issues.

No comments:

Post a Comment