Adobe to fix Reader hole unveiled at Black Hat

Adobe's emergency update will fix critical issues in Reader and Acrobat, including a critical one disclosed publicly last week.


Adobe said Thursday that it will release an emergency fix the week of August 16 for a critical hole in Reader that was publicly disclosed at the Black Hat conference last week.

The flaw, which could be exploited to take control of a computer, is related to the way Adobe's PDF (portable document format) reader software handles fonts, said Charlie Miller, principal analyst at Independent Security Evaluators. He disclosed the hole in his presentation on a tool that can be used to figure out the underlying bugs to software crashes, he said.

"I don't give the exploit, but you could take what I provide and turn it into an exploit," he told CNET.

Asked if three weeks was a reasonable time for Adobe to release a patch, Miller said: "I'm kind of surprised how fast they're fixing it."

The vulnerability is an "integer overflow in CoolType.dll in Adobe Reader 8.2.3 and 9.3.3, and Acrobat 9.3.3, (that) allows remote attackers to execute arbitrary code via a TrueType font," according to the description in the National Vulnerability Database.

Adobe's security update, which will come ahead of the company's quarterly security releases scheduled for October 12, will resolve an undisclosed number of critical issues in Reader 9.3.3 for Windows, Mac, and Unix; Acrobat 9.3.3 for Windows and Mac; and Reader 8.2.3 and Acrobat 8.2.3 for Windows and Mac, according to Adobe's advisory.

"We are not aware of any exploits in the wild around any of the vulnerabilities that will be fixed in this out-of-band update," an Adobe spokeswoman said in a statement.

Featured Video
This content is rated TV-MA, and is for viewers 18 years or older. Are you of age?
Sorry, you are not old enough to view this content.

iPhone 6S and 6S Plus: Should you upgrade?

After living with both phones for a week, these are the features that impressed us the most.

by Scott Stein