Adobe Systems Incorporated, has released three bulletins this month (APSB12-16/17/18) that fix a total of 26 vulnerabilities labeled as "critical", which can potentially lead to code execution: 20 in the Acrobat family, 5 in Shockwave Player and one in Flash player.
Some of these vulnerabilities are already being exploited by attackers who embed Flash animations in Word documents.
Google Chrome users will be updated automatically.
As a reminder of the announcement made by Adobe in June, from August 15 the versions of Flash Player for Android will no longer be officially downloaded from the Google Play Store, although security updates will continue to be provided until September 13, 2013.
Following the release of Adobe's latest bulletin for Reader and Acrobat (APSB12-16), researchers Mateusz Jurczyk and Gynvael Coldwind of the Google Security Team (and former colleagues at Hispasec) have published their analysis in which they conclude that Adobe, apart from leaving Linux users unprotected (as no fixed version has yet been published) has not resolved all the vulnerabilities reported by themselves.
The group was in charge of the "fuzzing" project of the PDF reader integrated in Google Chrome. They detected more than 50 problems. The most critical ones have already been corrected in the browser reader. Given the "success" of the operation, they decided to perform the same tests against the Adobe reader.
They concluded their tests with 60 failures. 31 problems could be "trivially exploitable" and 9 potentially exploitable. In June, they contacted Adobe's security team, who were very collaborative from the start. But the latest bulletin only corrects about 25 of these flaws in its 12 CVEs.
Thus, the researchers conclude that there are about 16 problems not yet corrected, which could represent perhaps 8 serious vulnerabilities (since 25 problems gave rise to 12 CVEs). Keep in mind that the problems detected by "fuzzing" can originate in the same vulnerability, and be corrected with the same modification of the code.
Adobe says it will fix it in the future. August 27 marks the 60-day limit that the researchers imposed as a condition for giving details, but since Adobe has no intention of publishing an out-of-cycle newsletter, it appears that the deadline will be met without patches. So they have decided, now, to make available to all their discoveries, given the risk that users face.
Source: Hispasec I, II
