Tweet

Adobe released some major security updates for its products, particularly Adobe Reader and Acrobat, on all platforms (Win, Mac OS, Linux) and we strongly encourage our readers to install these updates. For details, the Adobe blog is worth reading as well.

This update is in line with a recent zero-day attack that we also reported earlier this month.

Adobe PDF was a main target for malware writers during the last months so we are very delighted to see this response from Adobe. We strongly advise users to install these updates as soon as possible.

Update as of July 3, 2010, 10:27 a.m. (UTC)

The recent Adobe patch included a fix for the oft-abused /launch vulnerability that when successfully exploited can allow files embedded in .PDF files to be dropped and executed on systems. This feature has now been modified. While the feature was not totally disabled, Adobe has chosen to implement a black list to prevent .EXE files from running on a system by default. (System administrators can choose to re-enable this if they want to.) Details for the fix can be found here.

However, reports indicate that the current fix does not completely solve the problem, as a proof-of-concept (PoC) code bypassing Adobe’s solution has been released. Adobe has acknowledged this but believes that the current solution still reduces risks of attack.