Google Researchers Warn Of ‘Serious’ Unpatched Adobe Reader Flaws

Despite issuing patches for various products on Tuesday, Adobe has left a number of flaws including serious weaknesses in Adobe Reader, Google security researchers have warned.

Of particular concern to Google’s Mateusz Jurczyk and Gynvael Coldwind are bugs in Reader for Linux, although other issues affect versions for Windows and OS X. For the Linux version, which went completely unpatched, Adobe and Google have been working together to counter 14 “new unique crashes” and nine “test-cases” that were potentially exploitable for remote code execution.

When Adobe released a new version of Reader for Windows and Mac OS X earlier this week, it patched 12 vulnerabilities, but another 16 remained unpatched. Jurczyk and Coldwind decided to come forward with information on those flaws in the interest of user safety, as Adobe has no plans to issue additional out of band updates before 27 August.

‘Serious risk’

“Considering that fixing the first twenty four crashes took twelve unique code fixes, it is expected that the remaining crashes might represent around eight more unique problems. Adobe plans to fix these remaining bugs and issue an update for the Linux version of Reader in an upcoming release,” the Google researchers said.

“Though we have no evidence these bugs are being exploited today, we are concerned that functional exploits can be built without much effort based on knowledge derived from binary diffing of the old and newly patched Windows builds.

“Given this, we consider users of Adobe Reader to be exposed to serious risk.

“It is important to note that all discussed vulnerabilities were found using publicly available PDF documents, altered using conceptually trivial mutation algorithms such as bitflipping. Given that, we believe it is very possible that third-parties specializing in bug hunting and vulnerability research may already know of and/or be targeting many of our reported issues.”

Adobe did fix a slew of critical flaws in its software on Tuesday, focusing on  “vulnerabilities in the software that could cause the application to crash and potentially allow an attacker to take control of the affected system.”

The softare giant also removed its Flash Player plugin from the Google Play store yesterday. Flash, as well as Adobe Acrobat, have been beleaguered by security flaws in recent times.

Are you a security expert? Try our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

15 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

17 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

19 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

20 hours ago