Adobe Races to Ready Patch for Another PDF Vulnerability
After a serious security flaw in its Acrobat and Reader applications surfaced at last week's Black Hat security conference, Adobe wants users to know it's rushing out a fix.
Adobe Systems this week sent out a security advisory to let enterprise customers know that it's working feverishly to deliver an out-of-band patch for a PDF vulnerability in its Acrobat Reader software.
According to a blog post by researchers at security software vendor Secunia, the vulnerability can give hackers the ability to "take control of a vulnerable system and install or execute other malicious code."
Security researcher Charlie Miller first brought the flaw to Adobe's (NASDAQ: ADBE) attention during last week's Black Hat USA 2010 security conference in Las Vegas.
Adobe, which has already released unscheduled patches and updates to fix other security holes in its popular Reader and Acrobat apps, said the patch for the vulnerability will be available by the week of Aug. 16 -- almost two months before Adobe's next scheduled quarterly security update on Oct. 12.
The out-of-band update will encompass fixes for Adobe Reader 9.3.3 for Windows, Mac and UNIX, Adobe Acrobat 9.3.3 for Windows and Mac, and Adobe Reader 8.2.3 and Acrobat 8.2.3 for Windows and Mac, company officials said.
In the meantime, experts urged users to be on the lookout for files that could be used to exploit the vulnerability discovered by Miller. Secunia security researchers described the flaw as "an integer overflow error in CoolType.dll when parsing the maxCompositePoints field value in the maxp (Maximum Profile) table of a TrueType font."
"This can be exploited to corrupt memory via a PDF file containing a specially crafted TrueType font," it added.
Adobe's notification came via its security updater service, which pushes security advisories and updates to consumers and businesses on a scheduled basis and has been in operation since April.