Think Information. Think Security.
Adobe patched a huge number of flaws in its Reader software on Windows and Mac OS X on Tuesday, many of which were reported to the company by members of Google's internal security team, which had set up a long-term fuzzing program to look for interesting crashes in the embedded PDF viewer in the Chrome browser. However, the Google researchers said that there are still a number of serious vulnerabilities in the application running on Windows and OS X that Adobe failed to patch and so the researchers have released limited details on the bugs and some advice for users on how to mitigate the risks from the vulnerabilities.

The Google security team began a project earlier this year to find potentially exploitable crashes in Reader, one of the more widely deployed applications on the Web. The team had originally run the test against Chrome's embedded PDF reader and come up with more than 50 bugs, ranging in severity from low to high, and reported them to Adobe. The company fixed all of the high and critical severity vulnerabilities in its patch release yesterday.

The Google team then turned their attention to the Adobe Reader application running on GNU Linux, tossing huge amounts of malformed data at it and came up with 60 crashes. They sent the data to Adobe, but none of the Linux flaws were fixed in the patch release on Tuesday. Also, the researchers said that there are still a number of outstanding vulnerabilities in the Windows and OS X versions of Reader that remain unpatched and they said that attackers may be able to find the flaws independently. However, the vulnerabilities are in older, non-sandboxed versions of Reader. Users who run Adobe Reader X for Windows, which includes a sandbox to lessen the severity of attacks on certain bugs, are at less of a risk from these remaining vulnerabilities. 

"Unfortunately, sixteen more crashes affecting Windows, OS X, or both systems remain unpatched. Considering that fixing the first twenty four crashes took twelve unique code fixes, it is expected that the remaining crashes might represent around eight more unique problems. Adobe plans to fix these remaining bugs and issue an update for the Linux version of Reader in an upcoming release. Though we have no evidence these bugs are being exploited today, we are concerned that functional exploits can be built without much effort based on knowledge derived from binary diffing of the old and newly patched Windows builds," Mateusz Jurczyk and Gynvael Coldwind of Google wrote in an analysis of the bugs.

The researchers have released the stack traces of the remaining unpatched flaws, but hid some of the information that attackers would need in order to locate and exploit the same crashes. Jurczyk and Coldwind recommend that, because there are no effective workarounds for the remaining flaws, users limit their use of Reader and not open PDFs sent from external sources.

Adobe releases patches for Reader on a regular schedule wherein Adobe has confirmed they have no plans to issue additional out of band updates before August 27, which is 60 days after disclosed all bugs but will sometimes push out updates outside of that schedule if there are critical bugs, especially if they're publicly known and being used in attacks. But the Google team said Adobe doesn't have immediate plans to do that in this case.

Cross-posted from: Threat Post

Leave a Reply.