Today, we announced the availability of Adobe Reader and Acrobat 9.3.3 and 8.2.3. In addition to addressing CVE-2010-1297, referenced in Security Advisory APSA10-01, this accelerated quarterly Adobe Reader and Acrobat update resolves a number of responsibly disclosed vulnerabilities. For more information regarding the security details in these releases, please see Security Bulletin APSB10-15.
As mentioned in the Adobe Secure Software Engineering Team (ASSET) blog post titled Background on APSA10-01 Patch Schedule, today’s security update for Adobe Reader and Acrobat represents an accelerated release of the quarterly security update originally scheduled for July 13, 2010. With this accelerated schedule, Adobe will not release additional updates for Adobe Reader and Acrobat on July 13, 2010. The next quarterly update is scheduled for October 12, 2010.
Adobe Download Center Changes are Coming
In the past, we delivered Adobe Reader updates as full installers or patches (for instance, 9.x = full installer, 9.x.y = patch). The Adobe Reader Download Center at http://get.adobe.com/reader always offers the most recent full installer of Adobe Reader, which is currently Adobe Reader 9.3. After installation, the Adobe Reader Updater will automatically check and offer the latest patches to keep end-users up-to-date (as of today, the latest patch is Adobe Reader 9.3.3).
We have been working on a new method of always offering the latest version, whether they be full installers or patches, of our most popular language/platform pairs on the Adobe Download Center. This change will make its debut as scheduled on July 13, 2010 (by offering Adobe Reader 9.3.3 for installation) and will become a standard operating procedure going forward. In addition, as always, the Adobe Reader Updater will continue to automatically check for new updates, or users can force an update to happen by selecting > Help > Check for Updates from the Adobe Reader menu.
Update on the New Updater
For our previous quarterly release on Tuesday, April 13, 2010, we activated the new Adobe Reader and Acrobat Updater for our user base. We have been very pleased with the results. When we compared the new updater against the older technology, we found that our users were much more likely to update using the new Adobe Reader Updater. Our data showed that the user population adopted the last update roughly three times faster than previous updates. This is an extremely important metric, since it greatly reduces the window of exposure available to attackers.
PDF “/Launch” Functionality Social Engineering Attack Update
In a previous blog post titled PDF /Launch Social Engineering Attack, I mentioned that Didier Stevens had demonstrated a social engineering attack, which relied on the “/launch” functionality as described in the PDF specification (ISO PDF 32000-1:2008) under section 126.96.36.199. Today’s update includes changes to resolve the misuse of this command. We added functionality to block any attempts to launch an executable or other harmful objects by default. We also altered the way the existing warning dialog works to thwart the known social engineering attacks.
If your organization relies on this capability, we recommend that the functionality be re-enabled.
We are Listening
Adobe Reader is relied upon by individuals, businesses and governments worldwide, and the security of our users continues to be a key priority for us. As part of our commitment, we continually listen to the feedback from our users and the community at large. That feedback is paramount, as we continue to develop new capabilities that strengthen the security of our products. So, please keep the feedback coming!
Steve Gottwals, Group Product Manager, Adobe Reader