Adobe Systems released new versions of Adobe Reader 10.x and 9.x on Tuesday, addressing four arbitrary code execution vulnerabilities and making several security-related changes to the product, including the removal of the bundled Flash Player component from the 9.x branch.
All of the vulnerabilities fixed in the newly released Adobe Reader10.1.3 and Adobe Reader 9.5.1 versions could be exploited by anattacker to crash the application and potentially take control of theaffected system, Adobe said in its APSB12-08security bulletin. Users are advised to install these updatesas soon as possible.
Screenshot of the Adobe Readersecurity updates detailed on Adobe’s Web site.
The company also announced that Adobe Reader 9.5.1 no longer includesauthplay.dll, a Flash Player library that was bundled with previousversions of the program to enable the rendering of Flash contentembedded in PDF documents.
The presence of the authplay.dll component in Adobe Reader has causedsome security issues in the past, primarily because of the inconsistentupdate schedules for Adobe Reader and Flash Player.
Authplay.dll contains much of the stand-alone Flash Player’s code,which also means that it shares most of the latter’s vulnerabilities.However, while Flash Player is patched by Adobewhen needed, AdobeReader used to follow a more strict quarterly update cycle.
This often resulted in situations where some known vulnerabilities gotpatched in Flash Player, but remained exploitable through authplay.dllfor months, until the next scheduled update for Adobe Reader.
Such is the case with the new Adobe Reader 10.1.3 version, whichincorporates three previous Flash Player security updates that werereleased separately during the last three months.
Starting with Adobe Reader 9.5.1, Adobe Reader 9.x will use thestand-alone Flash Player plug-in that’s already installed on computersfor browsers like Mozilla, Safari or Opera, in order to play Flashcontent in PDF files.
This functionality will not work with the ActiveX-based Flash Playerplug-in for Internet Explorer or the special Flash Player plug-inversion bundled with Google Chrome.
Adobe plans to remove authplay.dll from the 10.x branch of Adobe Readerin the future as well and is currently working on APIs (applicationprogramming interfaces) to make this possible, said David Lenoe, groupmanager for Adobe’s Product Security Incident Response Team (PSIRT), ina blogpost Tuesday.
Vulnerability management vendor Secunia welcomes Adobe’s decision toremove authplay.dll from Adobe Reader, because it will make addressingFlash vulnerabilities easier for users, Secunia’s chief securityspecialist, Carsten Eiram, said.
“However, the default option in Adobe Reader should be to not supportFlash content in PDF files, requiring users to specifically enablethis,” Eiram said. “Most users do not need it and Flash contentembedded in PDF files has historically been exploited as a vector tocompromise Adobe Reader users’ systems.”
Patch-as-needed policy adopted
This is actually the approach Adobe has taken with the 3D contentrendering feature. Starting with Adobe Reader 9.5.1, this feature hasbeen disabled by default because it’s not commonly used and can beexploited in certain circumstances, Lenoe said.
“We’ve seen 0-days targeting this part of thefunctionality and itseems to be one of the more flawed features,” Eiram said. “We’ve for along time been recommending users to disable the plugins used for 3Dparsing.”
In addition to making these security patches and changes, Adobe alsodecided to cancel its quarterly update cycle for Adobe Reader andAcrobat and return to its previous patch-as-needed policy. Future AdobeReader updates will continued be released on the second Tuesday of themonth, but it will no longer happen every four months.
“We will publish updates to Adobe Reader and Acrobat as neededthroughout the year to best address customer requirements and keep allof our users safe,” Lenoe said.
“The quarterly update cycle never worked for Adobe,” Eiram said.”Vulnerability fixes should always be provided as quickly as possible;it’s not justifiable to unnecessarily postpone a vulnerability fix forup to three months simply due to policy reasons.”
