After a week delay, Adobe has finally pushed out critical security updates for its frequently-attacked Reader and Acrobat PDF software packages to patch serious vulnerabilities that could lead to computers being compromised.
The new versions of Adobe Reader and Acrobat released Tuesday for both Windows and Macintosh computers address eight vulnerabilities, five of which could allow for remote code execution.
The remaining three vulnerabilities involve a sandbox bypass vulnerability that can be exploited to escalate an attacker’s privileges on Windows, a denial-of-service (DoS) vulnerability related to memory corruption, and a cross-site scripting (XSS) flaw that only affects the programs on the Mac platform. According to Adobe’s advisory, applying the patches will involve a system restart.
These security updates were originally planned for Tuesday, Sept. 9, to coincide with Microsoft’s monthly patch release, but Adobe postponed them due to issues identified during testing.Users are advised to update their installations as soon as possible, as Adobe Reader is widely used and has been targeted by attackers in the past.
“Though these are all high priority issues, the disclosure list suggests that they are not active in the wild, but given the nature of the disclosure, exploit or proof-of-concept code will likely become available in the near future,” said Ross Barrett, senior manager of security engineering at Rapid7, via email.
The affected versions are:
- Adobe Reader XI (11.0.08) and earlier 11.x versions for Windows
- Adobe Reader XI (11.0.07) and earlier 11.x versions for Macintosh
- Adobe Reader X (10.1.11) and earlier 10.x versions for Windows
- Adobe Reader X (10.1.10) and earlier 10.x versions for Macintosh
- Adobe Acrobat XI (11.0.08) and earlier 11.x versions for Windows
- Adobe Acrobat XI (11.0.07) and earlier 11.x versions for Macintosh
- Adobe Acrobat X (10.1.11) and earlier 10.x versions for Windows
- Adobe Acrobat X (10.1.10) and earlier 10.x versions for Macintosh
The new versions can be downloaded by using the following links: