Adobe, the company behind popular technologies such as Flash Player, Shockwave or Adobe Reader released five security bulletins on the same day after teaming up with Microsoft to coordinate security releases.. Of the five, three may be affecting end users as they address vulnerabilities in Adobe Reader and Acrobat, Shockwave Player and Flash Player. All three have received a maximum severity rating of critical, the highest possible rating.

The bulletin APSB11-16 describes a critical vulnerability in Adobe Reader X 10.0.3 and earlier on Windows, and Adobe Reader X 10.0.3 and earlier on Macintosh, as well as earlier versions of Adobe Reader 9 and 8, and Adobe Acrobat 9 and 8. The vulnerability could be exploited by attackers to crash the application to take control of the computer system Adobe Reader X is running on.

Adobe recommends to update the software product to the latest available version. For Adobe Reader X that would mean to update to version 10.1, for users of Adobe Reader 9.4.4 and earlier to update to version 9.4.5.

Adobe Reader and Acrobat users can check for updates in the program interface. This is done via Help > Check for Updates. Updates can also be downloaded from the following locations.

• Adobe Reader Windows
• Adobe Reader Macintosh

You can also check out Adobe Reader X Offline Installers

Security Bulletin APSB11-17 describes vulnerabilities in Adobe Shockwave Player 11.5.9.620 and earlier on the Windows and Macintosh platform. Attackers who successfully exploit the vulnerabilities could run malicious code on the computer system. Adobe recommends to update Shockwave Player to version 11.6.0.626 to protect the system from possible exploits.

Windows and Mac users who run Shockwave Player on their system can download the latest version at the official download site.

Bulletin APSB11-18 finally describes a vulnerability in Adobe Flash Player that affects Adobe Flash Player 10.3.181.23 and earlier on Windows, Macintosh, Linux and Solaris, as well as Flash Player 10.3.185.23 and earlier for Android.

The vulnerability could be exploited to cause a crash which could allow the attacker to gain control over the affected system. Adobe has confirmed reports that the vulnerability is exploited in the wild in the form of targeted attacks on specifically prepared websites.

Adobe recommends to update Flash Player to Adobe Flash Player 10.3.181.26 on desktop operating systems. Android users will receive a patch before week’s end.

Users can verify their installed version of Flash Player by visiting the About Flash Player page at Adobe.

Adobe lists the latest version for all supported operating systems on the page, so that users only need to compare their installed version with the latest available version to see if they need to update.

The latest versions can be downloaded from Adobe’s Flash Player Download Center. Users who do not want to use the download manager can check out this guide Download Adobe Flash Without Adobe Download Manager.

Google Chrome users can check for updates in Chrome to get the latest version. This is done by clicking on the wrench icon and selecting About Google Chrome.

Govert’s Simple Imposition Tool is a free standalone software that can reformat pdf documents before printing. It is not only useful for users whose pdf readers cannot print multiple pages though, as it offers more than just that.

When you open the program for the first time, you notice a one-page layout where everything is configured. You load a pdf document at the top. The properties of the document are shown below, including the document’s size, pages and rotation.

Four formatting options and five optional settings are available under the Impose for section. You have the following formatting options:

• Booklet printing – Orders the pages automatically so that you get a booklet when you print and fold the printout. Optional foldmark can be added, which can be read by automatic folding machines.
• 2-up printing – Odd and even pages are printed side by side on one sheet of paper. Page Separation lines can be optionally added.
• Duplicate side-by-side – Print the same page twice on one sheet of paper. Cutmarks can be added to define where the document should be cut in half.
• 2x 1/2n – Places first half of multipage document side by side with second half. Duplex printing and cutmarks optional.

A click on the Action button launches a file save window where you can enter a name for the new pdf document. And that’s basically it.

If you compare the options to Adobe Reader, you notice that some are supported by Adobe’s product as well. You can use Adobe Reader to print multiple pages on one sheet and in booklet format. What’s not supported is the ability to print the same page multiple times on a sheet, and the option to place the first half of the document side by side with the second half.

The Simple Imposition Tool is available for Windows PCs. It requires the Microsoft .NET Framework 2.0. The program was tested under a 64-bit edition of Windows 7 Professional. It worked without flaws.

Affected are more or less all Flash users. This includes Flash installations on Windows, Mac and Linux, the built-in Flash Player of the Google Chrome browser, Flash on Android and Flash in Adobe Reader and Acrobat.

• Flash Player 10.2.153.1 and earlier versions on Windows, Mac, Linux, Solaris
• Adobe Flash Player 10.2.154.25 and earlier for Chrome
• Adobe Flash Player 10.2.156.12 and earlier versions for Android
• Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems

Adobe confirmed reports that the vulnerability is actively exploited. The vulnerability uses embedded Flash files in Microsoft Word documents to exploit the issue. According to Adobe’s information those are delivered as email attachments and targeting the Windows platform.

Adobe Reader and Acrobat do not appear to be targeted right now. Adobe Reader X users are protected from this exploit by the program’s Protected Mode.

Adobe is currently finalizing a schedule for delivering updates for all affected versions of Flash Player except for Adobe Reader X which will receive the update on the next quarterly security update on June 14, 2011.

How can users protect their system from these kind of attacks? You should be cautious when you receive document attachments, especially if they come from unknown senders. Probably the best option in this case is to save those attachments to the computer, and open them in an online viewer such as Google Docs.

You could alternatively use a third party document viewer that does not support Flash, but the safest bet is an online viewer.

Interested users find additional information about the newly discovered Flash vulnerability at the Adobe Security Bulletin.

You can initiate a standard search by pressing Ctrl-f, or
selecting the Edit > Search option from the menu. Advanced Search on the other hand is triggered with the shortcut Shift-Ctrl-f or via the Edit > Advanced Search menu.

Adobe Reader is not the only pdf reader that can find text in multiple pdf documents. Foxit Reader, a free pdf reading alternative, offers similar options. Foxit Reader users can use the shortcut Ctrl-Shift-f or select Tools > Search to open the search form of the program in a sidebar.

Adobe Reader opens the advanced search options in a new window. Here it is possible to switch from searching the current document to searching all pdfs in a folder on the hard drive. The folder is freely selectable, with My Documents being suggested by default.

A word or phrase needs to be entered into the search configuration form window. Expert users click on the Show More Options link at the bottom to display additional search filters and options.

Here it is then possible to include comments, attachments and bookmarks in the search, or search for whole words or case sensitive words only.

The more options page can be used to add additional search criteria, for instance to only search documents that have been created before or after a certain date, that have been written by a specific author or that contain object data or images.

It may take a while to scan the contents of all pdf documents that match the criteria. Adobe Reader displays the results in the same window. Results are sorted by document, and every instance of the word or phrase is shown on a separate line. A click on a line opens the containing page in the main Adobe Reader window.

Foxit Reader’s multi-pdf search options are limited in comparison. Here it is only possible to enter a search word or phrase, a directory that contains the pdf documents and a whole word and case sensitive filter.

Search results are displayed in a sidebar in the application window, a click puts the focus on the containing page. The search terms are highlighted by both applications on the pdf page.

Both programs are capable of finding text in multiple pdf documents. Users who need the additional filtering options find Adobe Reader’s pdf search more suitable as it offers more advanced options.

Are you using a different program or service to search for contents in multiple pdf documents? Let me know in the comments.

The critical vulnerability affects Adobe Flash, and since Adobe implemented Flash technology in Adobe Reader and Acrobat, those products as well.

The Flash vulnerability affects all Adobe Flash Player 10.2.152.33 and earlier versions on all supported operating systems, as well as Flash Player 10.2.154.18 and earlier for Chrome, Flash Player 10.1.106.16 and earlier for Android and Adobe AIR 2.5 and earlier. Google recently pushed an update that resolved the vulnerability for Chrome.

Attackers can exploit the vulnerability to cause a crash which could allow them to take control over the affected system. We already mentioned in our first report on March 14 that the issue was actively exploited by attackers in the form of embedded Flash files in Microsoft Excel documents that were delivered as email attachments.

The Flash Player update is available on the official Flash download page over at Adobe. Google Chrome users with automatic updates enabled do not need to download the update as Google has already pushed an update to all Chrome users that updated Flash to the latest version.

The new Flash version is 10.2.153.1 for all supported desktop PCs, 10.2.156.12 for Android and 10.2.154.25 for Google Chrome.

Adobe AIR users can download the new version of the application from the official Adobe AIR download center, the new Adobe Air version is 2.6.

Users can verify their version of Adobe Flash by visiting the About Adobe Flash Player page.

The Security Bulletin that lists additional information is accessible here.

Adobe has released an update for Adobe Reader and Acrobat as well to address the same critical security vulnerability. Adobe Reader and Acrobat X, 10.x and 9.x are affected on Windows and Macintosh systems.

Existing Adobe Reader and Adobe Acrobat users can use the built-in updating functionality to update the software to the latest version. They need to open Adobe Reader and select Help > Check for Updates from the menu to initiate that process.

It needs to be noted that Adobe is not supplying an update for Adobe Reader X at this point in time. The reasoning is that Adobe Reader X is using Protected Mode which “would prevent an exploit of this kind from executing”. The update will be addressed on the coming quarterly security update which is scheduled for June 14.

The security bulletin lists additional information about the vulnerability, and download links that point to the latest program versions of affected applications.

Adobe has confirmed reports that the vulnerability is actively exploited via swf files that are embedded in Microsoft Excel files that are delivered via email attachments. A successful exploit causes a crash of the application and could give an attacker control over the computer system.

A security fix is in the final stages of development, and Adobe estimates that it can be distributed during the next week. Computer users for now should be very cautious when they receive emails with Excel attachments, especially if the sender is unknown. It may be a good idea to open the documents online, for instance via Google Docs instead of a desktop client to block potential attacks.

Protected Mode of Adobe Reader X mitigates the issue according to Adobe, so that the security fix for that version will be delivered with the quarterly security update that is scheduled for June 14.

In short:

• All Flash Player versions 10 are affected for all supported desktop and mobile operating systems.
• All versions of Adobe Reader and Acrobat X, 10 and 9 are affected
• The vulnerability is exploited via Excel email attachments that have a Flash file embedded.
• A patch will be delivered in the next week

Additional information are available at the Security Advisory over at Adobe’s website.

The security update for Adobe Flash Player fixes several critical vulnerability in Flash Player 10.1.102.64 and earlier on Windows, Macintosh, Linux and Solaris. Successful exploits could “cause the application to crash and could potentially allow an attacker to take control of the affected system”.

The update increases the version of the application to Adobe Flash Player 10.2.152.26 on all affected systems.

The update can be downloaded directly from Adobe.

More information about the update are available on Adobe’s Security Bulletin page.

Adobe Reader, Acrobat

Critical vulnerabilities have also been identified in Adobe Reader and Acrobat. Affected versions include Adobe Reader X, Adobe Reader 9.4.1 for Windows, Macintosh and Unix, and Adobe Acrobat X and earlier for Windows and Macintosh. Please note that the update incorporates the Adobe Flash Player update.

The vulnerabilities “could cause the application to crash and potentially allow an attacker to take control of the affected system. Risk for Adobe Reader X users is significantly lower, as none of these issues bypass Protected Mode mitigations”.

Updates are available to increase the version of Adobe Reader X to 10.0.1, Adobe Reader 9.4.1 to 9.4.2 and Adobe Acrobat X to 10.0.1.

Download links for all affected applications are posted on the security bulletin page over at Adobe.

The Microsoft Security Bulletin Advance Notification for February 2011 details the upcoming patches. A total of 12 security bulletins are released next Tuesday of which all but one fix issues in the Microsoft Windows operating system. The remaining patch fixes a vulnerability in Microsoft Office.

Three of the security vulnerabilities have received a maximum severity rating of critical, the highest available rating, the remaining nine a severity rating of important.

• Microsoft’s newest operating system Windows 7 is affected by seven of the twelve issues. Of those, two are rated critical and the remaining five as important.
• Windows Vista is affected by six vulnerabilities with three rated as critical and the remaining three as important.
• Windows XP is affected by eight vulnerabilities with two being rated as critical and six as important.
• Windows Server 2003 is affected by 10 vulnerabilities of which one is critical, eight are important and one is moderate.
• Windows Server 2008 is affected in the same way as the Vista operating system, with the exception that one of the critical vulnerabilities is only rated as moderate here.
• Windows Server 2008 R2 finally is affected the same way as Windows 7, again with the exception of two vulnerabilities that are rated as moderate instead of critical and important.

The remaining vulnerabiliy affected Microsoft Visio 2002 Service Pack 2, Visio 2003 Service Pack 3 and Visio 2007 Service Pack 2. It is rated as important.

The advanced notifications are accessible here.

Adobe

Adobe has released a Prenotification Security Advisory for Adobe Reader and Acrobat.

Adobe is planning to release updates for Adobe Reader X (10.0) for Windows and Macintosh, Adobe Reader 9.4.1 and earlier versions for Windows, Macintosh and UNIX, Adobe Acrobat X (10.0) for Windows and Macintosh, and Adobe Acrobat 9.4.1 and earlier versions for Windows and Macintosh to resolve critical security issues. Adobe expects to make updates for Windows and Macintosh available on Tuesday, February 8, 2011. An update for UNIX is expected to be available by the week of February 28, 2011.

Expect lots of patching next Tuesday. We will post detailed information once the patches are released by Microsoft and Adobe.

This guide explains where those offline installers of Adobe’s pdf reader can be downloaded. I’ll also include an explanation where future offline installers can be found at, to make this method foolproof with future Adobe Reader updates.

Adobe Reader X Offline Installers Windows

• Adobe Reader X French Offline Installer [link]
• Adobe Reader X German Offline Installer [link]
• Adobe Reader X Japanese Offline Installer [link]
• Adobe Reader X US-English Offline Installer [link]

Adobe Reader X Offline Installers Mac

• Adobe Reader X French Offline Installer [link]
• Adobe Reader X German Offline Installer [link]
• Adobe Reader X Japanese Offline Installer [link]
• Adobe Reader X US-English Offline Installer [link]

Adobe Reader X Offline Installers Linux

Not yet available, expected to be released at the end of this month.

How To Find Future Adobe Reader Offline Installer Packages

Adobe loads offline installers on their public ftp server. All you need to do to download a new offline installer after an update of Adobe Reader is to visit the following ftp directories on Adobe’s ftp server. You need to follow the path to the latest version.

Just open this ftp directory in a browser or ftp server and navigate to the release of Adobe Reader that you need. It begins with the selection of the operating system (Win for Windows, Mac for Apple Macintosh and Unix for all Linux variants).

The major release versions are then displayed in the subdirectory. Just select the highest version (in this case it would be 10.x) and follow the lead. After that the supported languages are displayed. Pick your language, this leads to direct downloads of Adobe Reader offline installers in the selected language.

But what makes Adobe Reader x different from previous releases of the pdf reader?

Reader X for desktop enables an even greater level of interaction with the ability to share feedback through the use of Sticky Notes and Highlighter tools, as well as view a larger variety of content types including drawings, email messages, spreadsheets, videos, and other multimedia elements. You can also take advantage of the added security of Protected Mode in Reader X, which helps ensure safer viewing of PDF files.

It is rather strange that the announcement by Steve Gottwals over at Adobe lists the feature that I would consider the most important at the end of the new feature description.

So what’s Adobe Reader Protected Mode?

[..] Protected Mode is a sandboxing technology based on Microsoft’s Practical Windows Sandboxing technique. It is similar to the Google Chrome sandbox and Microsoft Office 2010 Protected Viewing Mode. [..] With Adobe Reader Protected Mode enabled (it will be by default), all operations required by Adobe Reader to display the PDF file to the user are run in a very restricted manner inside a confined environment, the “sandbox.” Should Adobe Reader need to perform an action that is not permitted in the sandboxed environment, such as writing to the user’s temporary folder or launching an attachment inside a PDF file using an external application (e.g. Microsoft Word), those requests are funneled through a “broker process,” which has a strict set of policies for what is allowed and disallowed to prevent access to dangerous functionality. (via)

Adobe Reader X comes with protected mode enabled by default. That’s great for users who felt that to many security vulnerabilities were discovered for Adobe’s pdf reader.

The main purpose of the sandbox is to mitigate attacks, so that the impact on the system is negligible.

The initial release of protected mode does is not a feature complete release.

This first release will sandbox all “write” calls on Windows 7, Windows Vista, Windows XP, Windows Server 2008, and Windows Server 2003. This will mitigate the risk of exploits seeking to install malware on the user’s computer or otherwise change the computer’s file system or registry

Adobe plans to extend the sandbox by including read-only activities ” to protect against attackers seeking to read sensitive information on the user’s computer”.

Adobe Reader X is available for download at the official Adobe website.

Users who prefer to download Adobe Reader X directly can download it from Adobe’s ftp site instead:

• Adobe Reader X Windows Download: ftp://ftp.adobe.com/pub/adobe/reader/win/10.x/10.0.0/
• Adobe Reader X Linux Download:ftp://ftp.adobe.com/pub/adobe/reader/unix/
• Adobe Reader X Mac Download: ftp://ftp.adobe.com/pub/adobe/reader/mac/

To make matters worse, a new vulnerability has been confirmed by Adobe affecting Adobe Reader 9.2 or later and Adobe Reader 8.1.7 or later. A “proof-of-concept file demonstrating a Denial of Service was published” already that crashes the pdf reader. The exploit does not demonstrate arbitrary code execution, but Adobe is not eliminating the possibility at this point in time. It has to be noted that Adobe Acrobat is not affected by the security vulnerability.

The blog post of the Security and Response team offers instructions on how to protect the computer system from this vulnerability.

Adobe Reader 9.2 and later and Adobe Reader 8.1.7 and later – Windows

On Windows, the JavaScript Blacklist can be in two locations. Please review the following options and then create the registry key of your choice:

Enterprise list: This blacklist helps enterprises roll out policies that block exploitable API(s) from executing in their environment. Populating the blacklist in this location is the responsibility of the enterprise. Adobe patches never modify this registry location.
To create the registry key:
HKLM\SOFTWARE\Policies\Adobe\<product>\<version>\FeatureLockDown\cJavaScriptPerms\tBlackList

Adobe’s update/patch list: The Adobe blacklist is modified by Adobe Reader patches whenever an API is deemed vulnerable. APIs are also removed from the blacklist whenever a fix for a vulnerability is provided by the current patch.
To create the registry key:
HKLM\SOFTWARE\Adobe\<product>\<version>\JavaScriptPerms\tBlackList

On a 64 bit Windows system, the path is:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Adobe

->To prevent this particular issue, add the following value to the registry key created in the previous step (case sensitive):
Doc.printSeps

->Exit and restart the application

Adobe Reader 9.2 and later and Adobe Reader 8.1.7 and later – Macintosh

On your Macintosh computer, go to the Applications folder or to the location where you have Adobe Reader installed.
Right-click on Adobe Reader
Click on Show Package Contents
Expand Contents
Expand MacOS
Expand Preferences
Create a backup of the FeatureLockDown file.
Right-click on FeatureLockDown.
Open With TextEdit.
Just before the last >> add the following line to the FeatureLockDown file (case sensitive):
/JavaScriptPerms [ /c << /BlackList [ /t (Doc.printSeps) ] >> ]
Save the file
Restart Adobe Reader

Adobe Reader 9.2 and later – UNIX

Go to the Global Prefs file at:
/Reader/GlobalPrefs/reader_prefs
Add the following line to the file:
/JavaScriptPerms [/c << /BlackList [/t (Doc.printSeps) ] >> ]

There you have it. Make sure you protect your version of Adobe Reader from the vulnerability by following the instructions posted above. The posting does not offer any information on the consequences of protecting the pdf reader from the vulnerability. It is also not clear if Adobe will be able to include the patch for this vulnerability in the upcoming update.

As if that was not enough, there is also a new vulnerability in Adobe Shockwave Player.

Krystian Kloskowski has discovered a vulnerability in Shockwave Player, which can be exploited by malicious people to compromise a user’s system.

The vulnerability is caused due to a use-after-free error in an automatically installed compatibility component as a function in an unloaded library may be called.

Successful exploitation allows execution of arbitrary code, but requires that a user is tricked into opening the “Shockwave Settings” window when viewing a web page.

The vulnerability is confirmed in version 11.5.9.615. Other versions may also be affected.

The description makes it clear that systems are only vulnerable to this attack if the user opens the Shockwave Settings window on a specially prepared website.

Basically, both Flash Player and Adobe Reader / Acrobat are affected by the security vulnerability. According to Adobe’s security bulletin, the issue is actively exploited against Adobe Reader and Acrobat on Windows.

Adobe is currently working on patches and aims to release the Flash Player patch on November 9, 2010 and the Adobe Reader / Acrobat patch on November 15, 2010. That’s puzzling considering that the company has admitted that the issue is actively exploited against Adobe Reader and Acrobat.

Mitigations were posted to protect the computer system.

Deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat 9.x mitigates the threat for those products, but users will experience a non-exploitable crash or error message when opening a PDF file that contains Flash (SWF) content. The authplay.dll that ships with Adobe Reader and Acrobat 9.x for Windows is typically located at C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll for Adobe Reader or C:\Program Files\Adobe\Acrobat 9.0\Acrobat\authplay.dll for Acrobat.

No mitigating factors were offered for the Flash vulnerability. The only ones that are known to work are to either disable Adobe Flash in the browser, or to use a flash blocking script such as NoScript for Firefox.

The Register has additional information about the pdf exploit. According to their information, attackers “install a nasty trojan known as Wisp, which according to Microsoft, steals sensitive user data and installs a backdoor on compromised systems.”

With patches as far away as two weeks, it is recommended to disable authplay.dll in Adobe Reader or Acrobat, and disable or block the Flash plugin in the web browser to protect the computer system against these attacks.

The rushed state of the release indicates that the issue gets actively exploited which is confirmed in Adobe’s Security Bulletin that mentions that the issue is being actively exploited in the wild. Attackers may be able to crash the application on the computer and take control of the affected system in the process. Upgrading is the only way of protecting the computer from those vulnerabilities.

Adobe recommends users of Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX update to Adobe Reader 9.4. (For Adobe Reader users on Windows and Macintosh,
who cannot update to Adobe Reader 9.4, Adobe has provided the Adobe Reader 8.2.5 update.) Adobe recommends users of Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh update to Adobe Acrobat 9.4. Adobe recommends users of Adobe Acrobat 8.2.4 and earlier versions for Windows and Macintosh update to Adobe Acrobat 8.2.5.

This accelerated patch breaks Adobe’s quarterly patch day that is set for every second Tuesday of each quarter of the year to fall in line with Microsoft’s Patch Tuesday. Interested users can take a closer look at the Security Bulletin, or point their web browsers to Get Adobe Reader right away to download the latest version of the pdf reader. Updates are also available directly in the program (by clicking on Help > Check for Updates).

User systems in the meantime were susceptible to those attacks. The latest critical vulnerability in Flash was revealed in a security advisory at the Adobe website.

The critical vulnerability in all Flash Player versions for all supported operating systems – yes even Android – impacts not only systems running Flash, but also systems running Adobe Reader 9.3.4 and Adobe Acrobat 9.3.4.

Adobe states that “this vulnerability could cause a crash and potentially allow an attacker to take control of the affected system” with reports that the vulnerability is already actively exploited in the wild “against Adobe Flash Player on Windows”.

Adobe expects to provide an update during the week of September 27 for Adobe Flash Player, and October 4 for Adobe Reader and Acrobat.

Until then, all users running Adobe Flash or Adobe Reader / Acrobat are vulnerable to the critical vulnerability. Make sure your security software detects the vulnerability and blocks it from execution.

One question that Chrome readers may have in mind: Is the build in Flash plugin also susceptible for attacks? In short, yes it is. The latest Chrome internal Flash Player plugin version is listed as 10.1.82.76, which is exactly the version that is vulnerable. The design of the browser may however mitigate the impact on the system, as may the out of process feature of the Firefox web browser.

We say may because we have no confirmation at this point.

The out-of-cycle update outlines the severity of the vulnerabilities that have been parched in the version, as Adobe usually releases updates in a three month cycle.

The updates address previously disclosed security vulnerabilities at the Black Hat USA 2010 conference on July 28, and furthermore incorporate the Adobe Flash Player update noted in the security bulletin released in July.

Adobe recommends users of Adobe Reader 9.3.3 and earlier versions for Windows, Macintosh and UNIX update to Adobe Reader 9.3.4. (For Adobe Reader users on Windows and Macintosh, who cannot update to Adobe Reader 9.3.4, Adobe has provided the Adobe Reader 8.2.4 update.) Adobe recommends users of Adobe Acrobat 9.3.3 and earlier versions for Windows and Macintosh update to Adobe Acrobat 9.3.4. Adobe recommends users of Adobe Acrobat 8.2.3 and earlier versions for Windows and Macintosh update to Adobe Acrobat 8.2.4.

Adobe Reader and Acrobat users are asked to update their pdf reader as soon as possible to protect their computer system from exploits that can lead to remote code execution.

Adobe Reader
Users can utilize the product’s update mechanism. The default configuration is set to run automatic update checks on a regular schedule and can be manually activated by choosing Help > Check for Updates.

Adobe Reader users on Windows can also find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows.

Adobe Reader users on Macintosh can also find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh.

Adobe Reader users on UNIX can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Unix.

Note: Adobe Reader 9.3.4 for Windows, Macintosh and UNIX will be available from the Adobe Reader Download Center at http://get.adobe.com/reader/ by August 31, 2010.

Adobe Acrobat
Users can utilize the product’s update mechanism. The default configuration is set to run automatic update checks on a regular schedule and can be manually activated by choosing Help > Check for Updates.

Acrobat Standard and Pro users on Windows can also find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows.

Acrobat Pro Extended users on Windows can also find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=158&platform=Windows.

Acrobat 3D users on Windows can also find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=112&platform=Windows.

Acrobat Pro users on Macintosh can also find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh.

More information available at Adobe’s Security Bulletin.

Adobe expects to make the updates “available during the week of August 16, 2010″, which does mean that millions of computer systems running either Adobe Reader or Adobe Acrobat are left vulnerable for the time being.

Adobe is planning to release updates for Adobe Reader 9.3.3 for Windows, Macintosh and UNIX, Adobe Acrobat 9.3.3 for Windows and Macintosh, and Adobe Reader 8.2.3 and Acrobat 8.2.3 for Windows and Macintosh to resolve critical security issues, including CVE-2010-2862 which was discussed at the Black Hat USA 2010 security conference on Wednesday, July 28, 2010. Adobe expects to make these updates available during the week of August 16, 2010

The security advisory does not reveal information about the vulnerabilities, only that one was discussed at last month’s Black Hat USA 2010 security conference, that all platforms are affected, and that Adobe Reader 9.3.3 and earlier, and Adobe Acrobat 9.3.3 and earlier are affected.

The advisory over at Secunia reveals additional details about the vulnerability discussed at the Black Hat conference. The Adobe Reader / Acrobat Font Parsing Integer Overflow Vulnerability has been rated as highly critical, the second highest possible rating.

The vulnerability is caused due to an integer overflow error in CoolType.dll when parsing the “maxCompositePoints” field value in the “maxp” (Maximum Profile) table of a TrueType font. This can be exploited to corrupt memory via a PDF file containing a specially crafted TrueType font.

Successful exploits may allow remote code execution on the targeted system.

Users with Adobe Reader or Adobe Acrobat installed may want to consider switching to another pdf reader for the time being, to protect their computer system from those vulnerabilities. Alternatives are listed on our pdf reader comparison page.

Instead they are still offering Adobe Reader 9.3 for download, a version that has been releases in January 2010, and updated three times since then to fix security vulnerabilities of which some are used in attacks.

adobe reader

This opens a can of worms and raises a question, how are Adobe Reader downloaders supposed to know that the version offered is not the latest? They apparently do not get that information on the Adobe Reader download page, nor are they informed about the insecure version on startup of the pdf reader.

Adobe seems to solely rely on the Adobe Reader and Acrobat Manager, Adobearm which is configured as a startup process to launch with the operating system. This in itself is problematic depending on the computer system. Adobe ARM does not get executed before the next startup, which means that systems that run 24/7 will be insecure for that time, unless the administrator updates the program manually.

It is also inefficient if the computer user decided to block the program from being started automatically with the operating system. That’s highly understandable considering that Adobe does not provide local information about the startup item. A quick search on the Internet confirms the confusion as many users thought that the process was for ARM processors only.

Lastly, users who do not allow automatic updates on their system will also be left with an insecure version of Adobe Reader.

How to update Adobe Reader

There are two possibilities to update Adobe Reader. The first is to use the Help > Check For Updates option in the program itself. That’s obviously only an option if the computer is connected to the Internet as it will query Adobe servers to retrieve the latest version.

adobe reader update

The second option is to download the patches for Adobe Reader directly from the Adobe website.

Adobe Reader 9.3.1 Windows, Mac (Intel), Mac, Unix
Adobe Reader 9.3.2 Windows, Mac (Intel), Mac, Unix
Adobe Reader 9.3.3 Windows, Mac (Intel), Mac, Unix

Product Update Pages: Windows, Mac, Unix

Do you have Adobe Reader installed on your system? If so, which version is it?

Still, it is a valid question. Do pdf readers render pdf documents differently, and if that’s the case, which one is the best of the pack?

Some rules had to be established for this test; All pdf readers should display the same page of the same pdf document in 100% and 200% view as well as a sample paragraph in 100%. Screenshot quality had to be the same to make it easier for anyone to spot possible quality differences in the text rendering engine.

I have also decided to only add free pdf viewers to the list.

List of pdf readers:

• Adobe Reader 9.3.3
• Foxit Reader 4.0
• Nitro PDF Reader 1.1.1.13
• Sumatra PDF 1.1
• PDF-XChange Viewer
• STDU Viewer
• Nuance PDF Reader
• Evince

Test System:

• Microsoft Windows 7 Professional 64-bit
• 8GB computer memory
• Intel Core i7 860
• HP w2408h widescreen monitor, 1920×1200 resolution
• Ati Radeon 4870, latest Catalyst drivers
• Test Pdf

The screenshots:

Thumbnails are displayed due to size limitations, click on a thumbnail to view the full sized image.

Samples

pdf reader quality samples

The first batch of samples shows that pdf readers display the same text in a different font sizes. Adobe Reader uses the largest font sizes while STDU Viewer the smallest, which offers a barely readable rendering of the text in that size. Quality obviously depends on a few factors that might differ from system to system.

What’s your favorite pdf reader? Let us know in the comments.

The 100% sample screenshot comparison

pdf reader quality

Now the 200% samples of the eight pdf readers

pdf reader quality 200

As you can see, rendering quality differs highly depending on which pdf reader has been used to display the pdf document. Adobe Reader followed by Sumatra provide a very good rendering quality. The pdf rendering quality obviously depends on a few factors that are influenced by computer hardware.

I would still recommend either Adobe Reader or Sumatra as they seem to provide the best rendering quality of all tested pdf readers. Sumatra especially for users who do not want anything to do with Adobe Reader.

The security bulletin sheds some light on the security issues that have been fixed in the release. A total of 17 different vulnerabilities have been fixed in Adobe Reader 9.3.3. Adobe has categorized the update as critical and recommends that users apply the latest updates immediately to protect their computer systems.

Exploits of any security vulnerability that has been patched in the update can lead to code execution on the affected system.

Adobe confirmed that at least one of the security vulnerabilities is actively exploited in the wild.

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-1297).
Note: There are reports that this issue is being actively exploited in the wild.

This update mitigates a social engineering attack that could lead to code execution (CVE-2010-1240).

This update resolves an invalid pointer vulnerability that could lead to code execution (CVE-2010-1285).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-1295).

This update resolves an invalid pointer vulnerability that could lead to code execution (CVE-2010-2168).

This update resolves an invalid pointer vulnerability that could lead to code execution (CVE-2010-2201).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2202).

This update resolves a UNIX-only memory corruption vulnerability that could lead to code execution (CVE-2010-2203).

This update resolves a denial of service vulnerability; arbitrary code execution has not been demonstrated, but may be possible (CVE-2010-2204).

This update resolves an uninitialized memory vulnerability that could lead to code execution (CVE-2010-2205).

This update resolves an array-indexing error vulnerability that could lead to code execution (CVE-2010-2206).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2207).

This update resolves a dereference deleted heap object vulnerability that could lead to code execution (CVE-2010-2208).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2209).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2210).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2211).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2212).

Adobe Reader 9.3.3 and Acrobat 9.3.3 are available for download at the Adobe website. Also available are Adobe Reader 8.2.3 and Adobe Acrobat 8.2.3 which both fix the security issues as well.

The vulnerabilities received a severity rating of highly critical, the highest possible rating, by Secunia since they were both actively exploited and would allow remote code execution on affected computer systems.

Adobe’s Response Team has updated the security vulnerability with the planned schedule for a patch to resolve the issue.

According to those information a patch for Flash Player 10 will be released on June 10 while Adobe Reader and Acrobat 9 users have to wait until June 29 for the patch.

The patches will be made available for all supported operating systems with the exception of Flash Player for Solaris.

The delay until the page becomes available is bad news for Adobe Reader and Acrobat users who have to find ways to protect their systems from the security vulnerability in the meantime.

Adobe is offering mitigation instructions on their website for Windows, Unix and Macintosh.

Adobe Reader and Acrobat – Windows

Deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader 9.x and Acrobat 9.x mitigates the threat for those products, but users will experience a non-exploitable crash or error message when opening a PDF file that contains SWF content.

The authplay.dll that ships with Adobe Reader 9.x and Acrobat 9.x for Windows is typically located at C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll for Adobe Reader or C:\Program Files\Adobe\Acrobat 9.0\Acrobat\authplay.dll for Acrobat.

Adobe Reader 9.x – Macintosh

1) Go to the Applications->Adobe Reader 9 folder.
2) Right Click on Adobe Reader
3) Select Show Package Contents
4) Go to the Contents->Frameworks folder
5) Delete or move the AuthPlayLib.bundle file

Acrobat Pro 9.x – Macintosh

1) Go to the Applications->Adobe Acrobat 9 Pro folder.
2) Right Click on Adobe Acrobat Pro
3) Select Show Package Contents
4) Go to the Contents->Frameworks folder
5) Delete or move the AuthPlayLib.bundle file

Adobe Reader 9.x- UNIX

1) Go to installation location of Reader (typically a folder named Adobe)
2) Within it browse to Reader9/Reader/intellinux/lib/ (for Linux) or Reader9/Reader/intelsolaris/lib/ (for Solaris)
3) Remove the library named “libauthplay.so.0.0.0″

It is recommended to either perform the operations on affected computer systems or switch to another pdf reader at least for the time until the vulnerability gets fixed.