On August Patch Day, Adobe fixed several critical memory-related bugs in Reader for Windows and Mac OS X, but eventually neglected Linux users. Researchers who discovered the flaws now fear that potential criminals might find ways to build an exploit by comparing the current version of Windows to Reader with the previous one. This could result in unprotected Linux users. In addition, some versions still have 16 open security holes.
Initially, Google employees Mateusz Jurczyk and Gynvael Coldwind examined the Chrome browser PDG engine and discovered several holes. They then tested Adobe Reader and found approximately 60 crash issues, and 40 potential attack vectors. When they reported their Adobe findings, the company promised to provide corrections, but warned that not all issues would be fixed by August Patch Day.
On Tuesday, that was exactly what happened. Versions 10.1.4 and 9.5.2 have been released for Windows and Mac OS X only. However, they are still vulnerable to the 16 reported issues. To prove this, Google employees released crash-related information. They said corrected flaws could be identified by third parties as they would be discovered by publicly modifying PDF documents.
Google employees recommend that users avoid opening any PDF documents from external sources in Adobe Reader. Those using a non-Chrome browser can protect themselves by disabling the browser extension for Reader. It allows flaws to be exploited with a simple visit to a specially constructed page.
Windows users still using Reader version 9 have been warned to upgrade to Adobe Reader X, because this version contains a sandbox that makes crash scanning more difficult. Linux users can fix two bugs by deleting the annots.api and PPKLite.api plugins from the / path / to / Adobe / Reader9 / Reader / intellinux / plug_ins directory, but this is a drop in the ocean considering the total number of crashes affecting Reader for Linux.
Stay on top of everything that happens at Diolinux …