Adobe has released an update to Acrobat and Reader this week to address several flaws. The vulnerabilities are patched in Acrobat/Reader versions 9.3.4 and 8.2.4. In addition to fixing the vulnerabilities that were fixed in Flash on August 10th this patch also addresses two CVEs unrelated to Flash.
The vulnerabilities being addressed include the one accidentally disclosed by Charlie Miller at the Black Hat conference earlier this month. During Charlie’s presentation he showed some screenshots that provided information that could be used to take advantage of these flaws. Adobe decided to play it safe and release an out-of-band fix to ensure Reader users were protected. More information including download links can be found in Adobe’s security bulletin.
Adobe ColdFusion was also dealt a blow this week when someone publicly disclosed working code to exploit a recently patched flaw. Adobe had chosen to rate the vulnerability “important” while many consider the flaw critical. Using the exploit, it is possible to completely take control of unpatched ColdFusion servers on which the administrative interface is connected to the internet.
Adobe chose to rate this only “important,” as best practices suggest that your server should never be configured in this manner, but we all know that all too frequently best practices are ignored, or not known to the person deploying the application. There are many poorly configured servers out there running ColdFusion and whether or not yours is one of them I recommend you apply the fixes from Adobe immediately, if you have not done so already.
Last week’s Sophos Security Chet Chat is also online at http://podcasts.sophos.com. Michael Argast and I discuss Microsoft Patch Tuesday, iOS fixes for the PDF rendering exploit, Adobe Flash fixes and RIM’s problems with lawful interception.
You can also download this podcast directly in MP3 format: Sophos Security Chet Chat episode 22.
Adobe logo photo courtesy of Midiman’s Flickr photostream.