Adobe Issues Planned, Unplanned Patches

Thursday, August 14, 2014 @ 05:08 PM gHale


Adobe Reader and Acrobat received an out of band patch that fixes a flaw that could allow an attacker to bypass sandbox protection.

In a security bulletin issued on Tuesday, Adobe said the vulnerability impacts only the Windows versions of the software, the OS X variants remain unaffected.

RELATED STORIES
Flash Trojan Targets Android Devices
New Tool to Create Malicious PDFs
Adobe Patches Flash Player, AIR
Adobe Fixes 18 Vulnerabilities

There isn’t much information about the issue, which has Common Vulnerabilities and Exposures identifier CVE-2014-0546, but there it is undergoing exploitation in isolated attacks.

Bad guys are leveraging the glitch to target Adobe Reader users. Updating to the latest version of the product is highly recommended, officials said.

Adobe acknowledged the work of Costin Raiu and Vitaly Kamluk of Kaspersky Lab for discovering the vulnerability. Raiu, Director of Global Research and Analysis Team at Kaspersky Lab, said the patch “fixes a rather creative sandbox escape technique that we observed in a very limited number of targeted attacks.”

“Although these attacks are very rare, just to stay on the safe side we recommend everyone to get the update from the Adobe site as soon as possible,” he said in a blog post.

By default, the update goes out automatically through the built-in mechanism, but you can also update manually.

Adobe also updated Flash Player, the latest version addressing a suite of seven vulnerabilities.

Four of the glitches came from Chris Evans from Google’s Project Zero, and all of them (CVE-2014-0542, CVE-2014-0543, CVE-2014-0544, CVE-2014-0545) caused memory leaks that could end up used for bypassing memory address randomization.

Another vulnerability, CVE-2014-0540, came from HP’s Zero Day Initiative and offers the same advantage to a potential attacker.

The other two vulnerabilities resolve a user-after-free flaw (CVE-2014-0538) that could lead to remote code execution, and a security bypass glitch (CVE-2014-0541). Wen Guanxing from Venustech Adlab and Soroush Dalili of the NCC Group, respectively, found the vulnerabilities.



Leave a Reply

You must be logged in to post a comment.