Adobe Systems Inc. today issued software updates to fix at least two security vulnerabilities in its widely-used Acrobat and PDF Reader products. Updates are available for Windows, Mac and UNIX versions of these programs.
Acrobat and Reader users can update to the latest version, v. 9.3.4, using the built-in updater, by clicking “Help” and then “Check for Updates.”
Today’s update is an out-of-cycle release for Adobe, which recently moved to a quarterly patch release schedule. The company said the update addresses a vulnerability that was demonstrated at the Black Hat security conference in Las Vegas last month. The release notes also reference a flaw detailed by researcher Didier Stevens back in March. Adobe said it is not aware of any active attacks that are exploiting either of these bugs.
More information on these patches, such as updating older versions of Acrobat and Reader, is available in the Adobe security advisory.
Didier Stevens’ attack code doesn’t work as a limited user. It won’t even launch the cmd.exe file, it just produces a permissions error. All the more reason to not run as admin.
Also Brian, I recommend not going through Help > Update but through Edit > Preferences > Updater and selecting “Automatically Install Updates.” That way it just does it when an update is available.
Why the downvotes? It irks me that this isn’t the default on Acrobat. Not to mention javascript being enable by default. If Adobe made these changes we’d see a lot less acrobat-based attacks.
I don’t know why? Perhaps it is because it doesn’t work in the LAN environment? Most update features on most applications can’t make it trough the perimeter firewall.[or maybe IIS for some]
I don’t use Adobe anymore, as I switched to Foxit, so I can’t really speak from experience. If I did – I might be able to vote up or down on this for you! ; )
Thank you, Brian, your reminders are always helpful. Took less than a minute to update Reader.
(Pet peeve: Why does every Adobe update put a shortcut on the desktop?)
From the Adobe advisory in the post;
…
Solution
Adobe recommends users update their software installations by following the instructions below:
…
later in the same post.
…
Note: Adobe Reader 9.3.4 for Windows, Macintosh and UNIX will be available from the Adobe Reader Download Center at http://get.adobe.com/reader/ by August 31, 2010.
…
Why even talk about the issue when you are going to give the bad guys time to use the exploit.
Hi Brian, Thanks for this info. Just a question & anyone here can post too ^,^
I’m still using Adobe Acrobat 7.0 Standard with most recent installed updates indicate as Version 7.1.4. I’ve visited the site to download update but since the most latest is still 7.1.4, does it mean I’m not affected?
https://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows
TIA
regarda, Jaybie
Hi Brian, Thanks for this info. Just a question & anyone here can post too ^,^
I’m still using Adobe Acrobat 7.0 Standard with most recent installed updates indicate as Version 7.1.4. I’ve visited the site to download update but since the most latest is still 7.1.4, does it mean I’m not affected?
https://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows
TIA
regards, Jaybie
Jaybie,
You might want to consider other options, such as upgrading or going with another product. It looks like Adobe no longer supports the version you’re running. Someone please correct me if I am wrong.
http://www.adobe.com/support/products/enterprise/eol/eol_matrix.html
Hello Brian,
Thanks for the suggestion, BTW we’re on tight budget for additional software & license. Maybe we stick on it for a while.
Nice link, seems it’s End of Support Time on my version.
Thanks a lot.
You should be able to install the newer version of reader w/o adversely impacting Acrobat, just be sure to use Reader for all pdf’s you get….
Reader is free…
Hi Timeless,
Thank you for your suggestion, much appreciated.
Regards, Jaybie