Google Researchers Expose Unpatched Flaws Adobe Reader

By Bill Vanzyl|August 17, 2012|8:35 am

Categories: Adobe, Jurczyk, Linux

Array

Two Google security researchers have accused Adobe of failing to fix various reported vulnerabilities in Adobe Reader in a timely manner and are using the delay as justification to publicize details behind the security holes.

Adobe will release upgrades for Adobe Reader and Acrobat X, but provided few details about what is in the updates.

The duo also has recommended that users avoid Reader until Adobe rolls out patches.

Googlers Mateusz Jurczyk and Gynvael Coldwind have asserted that back in June, they reported 46 reproducible crashes in Reader to Adobe.

Unfortunately, the sandbox feature is not available for the newest versions of Adobe Reader for OS X or Linux.

In keeping with Google’s vulnerability disclosure policy, the duo has made public some details about the remaining vulnerabilities.

Specifically, Jurczyk and Coldwind published the stack traces of all 16 crashes affecting Windows and OS X.

They did opt to obfuscate the call stacks, hiding the 20 least significant address bits, as well as other information that could be exploited by a malicious hacker.

Google’s policy is to give vendors 60 days to fix bugs before sharing them with the public — a fact that gained particular notoriety back in 2010 when Google researcher Tavis Ormandy published attack code for a bug in Windows XP’s Help and Support Center.

According to Jurczyk and Coldwind, Adobe plans to fix the outstanding reported bugs and issue an update for the Linux version of Reader in an upcoming release, but that release won’t come quickly enough for Jurczyk and Coldwind’s liking.

In terms of mitigations and work arounds, Jurczyk and Coldwind advised that users of Reader for Linux remove the Annots.api and PPKLite.api plug ins.

“Adobe has confirmed they have no plans to issue additional out of band updates before August 27, which is 60 days after we disclosed all bugs,” according to their post.

“Though we have no evidence these bugs are being exploited today, we are concerned that functional exploits can be built without much effort based on knowledge derived from binary diffing of the old and newly patched Windows builds,” they wrote.

“Since the Linux Reader version remains unpatched and the Windows/OS X patches are now available for diffing and reverse engineering, we have decided that it’s in the best interest of users to be aware of these security issues without additional delay.”.

In terms of mitigations and work arounds, Jurczyk and Coldwind advised that users of Reader for Linux remove the Annots.api and PPKLite.api plug ins.

Their advice: Limit use of Adobe Reader, do not open externally received PDF files, and disable the Adobe Reader browser extension for now.

The vulnerability that Adobe found in Flash Player 10.2.153.1 and earlier versions affects Windows, Macintosh, Linux, Solaris and Android.

This story, “Google researchers expose unpatched flaws in Adobe Reader,” was originally published at InfoWorld.com.

Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog.

For the latest developments in business technology news, follow InfoWorld.com on Twitter.

Bill Vanzyl is a business journalist based in Tokyo, Japan. Bill has a passion for financial markets and breaking news stories and loves writing about business news, stock market, and economic opinions that matters most to its audience. Bill spends a lot of time discovering and researching latest financial markets and industry news stories in order to make sure the latest and greatest stories are brought to you first on BigBoardNews.com.