Google warns about Adobe Reader - especially on Linux

Labels: , ·

            Adobe has at its August Patch Tuesday closed many critical memory error in its Reader for Windows and Mac OS X, but it left the Linux users out of it. The discoverers of vulnerabilities now fear that a comparison of the current Windows version of the Reader, and the previous version gets enough evidence to build exploits. Linux users were these defenseless. Moreover, there are even in the patched versions have a total of 16 open security holes.

             The Google employee Mateusz Jurczyk and Gynvael Coldwind initially studied the PDF engine of the Chrome browser, where they found many gaps. Then they also tested the Adobe Reader and discovered some 60 crash causes, of which 40 can be potentially exploited for attacks. After both Adobe informed about their findings, the manufacturer promised relief - hinted, however, that not all gaps on August's Patch Tuesday will be closed.

              And so it happened: The Tuesday published versions 10.1.4 and 9.5.2 is only available for Windows and Mac OS X. And even these errors have been corrected versions are vulnerable for 16 of the reported vulnerabilities that affect either Windows, OS X, or both systems. As evidence published the Google employee disguised information about the crash. The security experts believe it is possible that the unpatched vulnerabilities can be discovered by others, as they were tracked by modifying publicly accessible PDF documents.

              Putting the threat of researchers, all details about the gaps in the sense of responsible publication ("responsible disclosure") into the grid, Adobe had apparently cold: the deadline would expire 60 days after the date on which Adobe was informed of the gaps - that would be the 27th August. Adobe was against the discoverers of vulnerabilities, however, plan to this date no more updates.

               As a consequence recommend the Google employees to not open PDF documents from external source using the Adobe Reader. Anyone using a browser other than Chrome can protect themselves by disabling the browser extension of the reader. This allows the exploitation of the vulnerabilities already in the call specially prepared websites.

             Windows users who still sit on the 9 version of the Reader, security experts advise to upgrade to Adobe Reader X, as this version is given a sandbox, the more difficult to exploit the gaps. Linux users by deleting the two plugins and Annots.api PPKLite.api from the folder / path/to/Adobe/Reader9/Reader/intellinux/plug_ins least two of the seal gaps, but this one given the sheer number of vulnerabilities such as drops in the bucket.

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)