Adobe Set To Plug PDF Flaws

Adobe Systems is planning to issue an out-of-band security update later this month to plug multiple security holes, including one discussed last week at the Black Hat security conference.

The update will cover critical bugs affecting Adobe Reader and Acrobat. Among them will be a flaw mentioned at Black Hat by Charles Miller, principal security analyst with consulting firm Independent Security Evaluators. The bug, which can be used by attackers to compromise a system, is due to an integer overflow error.

“We are planning to make available an out-of-band security update for Adobe Reader and Acrobat during the week of August 16, 2010,” an Adobe spokesperson told eWEEK. “This update will resolve critical security issues in Adobe Reader 9.3.3 for Windows, Macintosh and UNIX, Adobe Acrobat 9.3.3 for Windows and Macintosh, and Adobe Reader 8.2.3 and Acrobat 8.2.3 for Windows and Macintosh, including CVE-2010-2862 which was discussed at the Black Hat USA 2010 security conference on Wednesday, July 28, 2010.”

Memory Corruption

According to Secunia, the vulnerability uncovered by Miller can be exploited to corrupt memory via a PDF file containing a specially-crafted TrueType font, and affects Adobe Reader versions 8.2.3 and 9.3.3 as well as Acrobat 9.3.3. The company warned that earlier versions may be affected as well, and advised users not to open untrusted PDF files with the software.

The Adobe spokesperson said the company is currently unaware of any exploits in the wild targeting any of the issues slated to be covered in the update.