New Adobe Reader fixes some, but not all known bugs

[Mateusz Jurczyk <j00ru.vx () gmail com>]

Hey,

We’ve been recently working on PDF fuzzing, and consequently found
around 60 unique crashes in Adobe Reader (40 of which looked
potentially exploitable), which we reported to Adobe.

Today Adobe has released an update for Adobe Reader Windows and OS X
(no Linux update available yet) with most, but not all vulnerabilities
patched.

Since we were informed that the vendor was not planning to release an
out-of-band update anytime soon, and Adobe Reader for Linux users are
left behind with no update at all (patch-diffing anyone?), not even a
sandbox to mitigate the vulnerabilities, we decided to release a note
discussing the issues and possible mitigations.

You can read the note on either of our blogs:

http://gynvael.coldwind.pl/?id=483
http://j00ru.vexillium.org/?p=1175

Regards,
--
Mateusz "j00ru" Jurczyk, Gynvael Coldwind

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/