Adobe plugs seven month old ‘critical’ bugs in Reader and Acrobat

Adobe has cleaned up 18 critical flaws in Flash Player and 34 critical flaws in Reader and Acrobat, including two that Google reported last October.

Adobe flagged last week that a scheduled update to address critical flaws in Reader and Acrobat was on the way, which it’s today confirmed are fixes for 34 flaws that include two serious bugs Google reported seven months ago.

The two vulnerabilities affect Macs with the latest version of Reader and Acrobat. Google’s Project Zero team published details about them in January, 90 day after reporting to Adobe. Adobe had, according to Google, fixed the flaws in Reader and Acrobat for Windows in the February update, but couldn’t develop a fix for Macs.

Google in January said it had “reproduced the crash on a fully updated Adobe Reader for Mac” and wasn’t aware of any mitigations for the vulnerability. The first bug (CVE-2014-9160) was a heap-based buffer overflow, while the second (CVE-2014-9161) was an out-of-bounds memory access in Google’s opinion.

Adobe confirmed today that both of the bugs could lead to code execution, meaning an attacker that exploited them could take over a targeted machine.

Fortunately, Adobe said it’s not aware of any attacks in the wild for any of the vulnerabilities it fixed in today’s release, though that situation may change soon given that Google has published proof of concept attack code for the bugs it discovered.

The updates bring Adobe Reader XI to version 11.0.11 and Reader X to 10.1.14, with corresponding version numbers for Acrobat XI and X. These apply to Windows and Mac systems.

Among the more severe flaws include multiple use-after free bugs, buffer overflow vulnerabilities and memory corruption vulnerabilities, the last of which included the bugs Google detailed in January.

Adobe has also plugged 18 flaws affecting Flash Player, which Adobe also rated critical. The latest version of Flash Player for Windows and Mac are Chrome and Internet Explorer on Windows 8.1 will automatically update to this version. Linux systems should update to

There are also updates for Adobe Air and the Adobe AIR SDK.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Feeling social? Follow us on Twitter and LinkedIn Now!

Tags Googleadobe acrobatadobe readerflash playerCSO Australiaattack codeCVE-2014-9161CVE-2014-9160

Show Comments