Adobe to fix Reader hole unveiled at Black Hat

Adobe's emergency update will fix critical issues in Reader and Acrobat, including a critical one disclosed publicly last week.

Elinor Mills
Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
2 min read

Adobe said Thursday that it will release an emergency fix the week of August 16 for a critical hole in Reader that was publicly disclosed at the Black Hat conference last week.

The flaw, which could be exploited to take control of a computer, is related to the way Adobe's PDF (portable document format) reader software handles fonts, said Charlie Miller, principal analyst at Independent Security Evaluators. He disclosed the hole in his presentation on a tool that can be used to figure out the underlying bugs to software crashes, he said.

"I don't give the exploit, but you could take what I provide and turn it into an exploit," he told CNET.

Asked if three weeks was a reasonable time for Adobe to release a patch, Miller said: "I'm kind of surprised how fast they're fixing it."

The vulnerability is an "integer overflow in CoolType.dll in Adobe Reader 8.2.3 and 9.3.3, and Acrobat 9.3.3, (that) allows remote attackers to execute arbitrary code via a TrueType font," according to the description in the National Vulnerability Database.

Adobe's security update, which will come ahead of the company's quarterly security releases scheduled for October 12, will resolve an undisclosed number of critical issues in Reader 9.3.3 for Windows, Mac, and Unix; Acrobat 9.3.3 for Windows and Mac; and Reader 8.2.3 and Acrobat 8.2.3 for Windows and Mac, according to Adobe's advisory.

"We are not aware of any exploits in the wild around any of the vulnerabilities that will be fixed in this out-of-band update," an Adobe spokeswoman said in a statement.