Critical vulnerabilities have been identified in Adobe Reader 9.4 (and earlier versions) for Windows, Macintosh and UNIX, and Adobe Acrobat 9.4 (and earlier 9.x versions) for Windows and Macintosh. These vulnerabilities could cause the application to crash and potentially allow an attacker to take control of the affected system.These code bases are pretty old, and the protocols (PDF, Flash) are even older. That's where a ton of security bugs hide, in old code that contains a lot of complexity but which doesn't get executed very often. Sadly, I don't expect to see a change soon, so stay tuned for updates in the future.
In addition to addressing CVE-2010-3654 noted in Security Advisory APSA10-05 and CVE-2010-4091 referenced in the Adobe PSIRT blog ("Potential issue in Adobe Reader"), these updates also incorporate the Adobe Flash Player update as noted in Security Bulletin APSB10-26.
Adobe recommends users of Adobe Reader 9.4 and earlier versions for Windows and Macintosh update to Adobe Reader 9.4.1, available now. Adobe recommends users of Adobe Reader 9.4 and earlier versions for UNIX update to Adobe Reader 9.4.1, expected to be available on November 30, 2010. Adobe recommends users of Adobe Acrobat 9.4 and earlier 9.x versions for Windows and Macintosh update to Adobe Acrobat 9.4.1.
I have to say, though, that this is getting pretty confusing even for me - and that means that it's likely impossible for non security professionals. This patch seems related to last week's, but different. It would be nice if Adobe were able to take some of the confusion out of the process.
On the other hand, this is being exploited in the wild, so kudos to them for releasing a patch out of cycle.
Via The Register, where John Leyden adds some good background:
My take is that it was the 1990s tech bubble "Underpants Gnomes" software development strategy:
Updates to Adobe software are important because its software (particularly its PDF software) has been a number two target for hackers for some years. It only lags behind attacks on Microsoft applications and operating systems.
Adobe is applying a lot of effort to remedy this situation, but its efforts thus far have largely failed to impress. Part of its problem stems from the extravagantly open nature of the PDF specification, which supports all manner of scripting and embedded functionality that isn't needed in day-to-day use of the technologies, while offering opportunities for all manner of security exploits. Alternative PDF viewing applications, such as FoxIT, have also had problems on this score.
Step 1: Add crazy scripting capability to turn PDF into a mini Operating System.Of course, when you turn your document reader app into a mini OS, you now have OS-style security craziness. Sigh.
Step 2: ???
Step 3: Profit!