Adobe Quarterly Patch Cycle Automates Updates
Reader, Acrobat, Flash and Shockwave all tagged with updates for security vulnerabilities.
Microsoft wasn't the only vendor out late Tuesday with a scheduled patch update. Adobe delivered its June quarterly patch update on Tuesday as well, fixing over 30 flaws across its product portfolio.
Adobe Flash which was fixed earlier this month for a zero day flaw is being fixed for yet another critical zero day flaw that is already being used by attackers.
"This memory corruption vulnerability (CVE-2011-2110) could cause a crash and potentially allow an attacker to take control of the affected system," Adobe noted in its Flash advisory. "There are reports that this vulnerability is being exploited in the wild in targeted attacks via malicious Web pages."
The new Adobe Flash Player 10.3.181.26 release for Windows, Macintosh, Linux and Solaris fixes the flaw. Android users will have to wait until the end of the week before a new version is available.
Adobe Shockwave player is being patched for a whopping 24 vulnerabilities. Adobe has ranked the flaws and the update as being 'critical'.
"These vulnerabilities could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system," Adobe warned in its advisory.
Adobe Reader and Acrobat are being patched for at least 13 different flaws that affect users on Windows and Macs. Memory related issued dominate the list of fixed flaws. Six of the flaws are memory corruption issues, three of the flaws are buffer overflows vulnerabilities, and one is a heap overflow vulnerability.
There is also a fix for a DLL loading vulnerability as well as a cross document script execution vulnerability that could lead to code execution.
Going a step further than just patching flaws, Adobe is also taking steps to improve security in Reader and Acrobat as well. The new Acrobat release includes a sandboxing feature called Protected View. The Protected View sandboxing is an extension of Protected Mode which Adobe first released in Reader X. Protected View provides a sandbox for standalone Acrobat viewing, in addition to just the browser protections that Protected Mode offers.
"Acrobat Protected View provides an additional layer of protection for Acrobat X users and will ultimately result in a safer experience, fewer urgent patches, and lower total cost of ownership in enterprise environments," Brad Arkin, senior director, Product Security and Privacy, wrote in a blog post.
In addition to the improved sandboxing, Adobe is helping users to stay up-to-date with the latest security patches. With the new update Adobe in now enabling an automatic Reader update by default on Windows.
"The vast majority of attacks we are seeing are exploiting software installations that are not current with the latest security updates," Arkin said. "We therefore believe that the automatic update option is the best option for most end-users and strongly encourage users to choose this option."