Sophos principal virus researcher Vanja Svajcer guest blogs about the latest security updates from Adobe. Over to you Vanja…
Users around the world will be pleased to learn that Adobe has managed to release an accelerated security update for Adobe Reader and Acrobat (APSB10-15) before the planned release date (13th July). The latest version of Adobe Acrobat and Reader for Windows is now 9.3.3.
The security update includes fixes for 17 vulnerabilities, which means that the guys from Adobe PSIRT have been working very hard in the last month or so.
From the malware protection point of view the most important vulnerability patched with the latest update is CVE-2010-1297 which has been actively exploited since its discovery on June 5th.
You can read more about this vulnerability and the known exploits in our vulnerability analysis.
The second interesting fix, from the malware protection perspective, addresses the issue discovered by Didier Stevens. The issue, which I deliberately won’t call a vulnerability, is due to the specifics of the PDF /Launch action implementation in Adobe’s code. The /Launch action allows a malicious user to embed and launch an executable file when the user opens a PDF document. This /Launch functionality is now disabled by default in Adobe Reader.
Though it is obvious that Adobe is doing more to address vulnerabilities found in their product – the high number of patched vulnerabilities indicates that it may be a good time for Adobe to go through a security push to overhaul the approach to building in security to their products.
Microsoft already went through a similar exercise and the result show as the vulnerabilities are getting more difficult to discover and exploit.
Go on Adobe, make my day.