Big news this week as Adobe issued a security update on Tuesday that patched up 29 vulnerabilities in Adobe Reader and Adobe Acrobat.
According to a Computerworld.com article, most of these bugs, which affected the latest versions of both applications, were used to take remote control of personal computers. Affected versions of Adobe Reader and Acrobat include 9.1.3 and earlier across the Windows, Mac OS and Linux platforms.
Now for the most part, Adobe had only one sure fire way to staunch previously exploited PDF vulnerabilities: disable JavaScript. Well after the fourth exploit this year, Adobe is doing something about it. The PDF innovators are tightening up their applications with a few defensive tweaks.
What’s in the Patch?
According to an Adobe Reader Blog posting, there comes the addition of a beta stage updater tool whose main purpose is to eventually mainstream and automate the way in which Adobe keeps their end-users updated.
Although it’s initially delivered in what Adobe Reader blogger Steve Gottwals calls a “passive state”, Adobe will activate it for users who are invited to take part in the beta program to “test a variety of network configurations encountered on the Internet in order to ensure a robust update experience”.
Also with the new update comes a change on how the applications deal with disabled JavaScript. Instead of getting a dialog box offering options when JavaScript is disabled, you basically get a golden bar with options for running JavaScript within the PDF document once or always (similar to the golden bar you get with hotmail spam boxes and pop-up blockers on your browsers). You can read the TechNote here.
Moreover, Adobe is introducing a JavaScript Blacklist Framework so you don’t have to disable JavaScript completely. With this tweak, you get selective control over the JavaScript API calls that are executed.
If the JavaScript is blacklisted, you’ll get a notification that it’s disabled for security reasons. For more details on this and how to set up a blacklist, check out the TechNote, Adobe Reader and Acrobat JavaScript Blacklist Framework.
You can get the patch from the Adobe Security Bulletin or use the applications’ native updater.
