Google Researchers Warn Of ‘Serious’ Unpatched Adobe Reader Flaws

Despite issuing patches for various products on Tuesday, Adobe has left a number of flaws including serious weaknesses in Adobe Reader, Google security researchers have warned.

Of particular concern to Google’s Mateusz Jurczyk and Gynvael Coldwind are bugs in Reader for Linux, although other issues affect versions for Windows and OS X. For the Linux version, which went completely unpatched, Adobe and Google have been working together to counter 14 “new unique crashes” and nine “test-cases” that were potentially exploitable for remote code execution.

When Adobe released a new version of Reader for Windows and Mac OS X earlier this week, it patched 12 vulnerabilities, but another 16 remained unpatched. Jurczyk and Coldwind decided to come forward with information on those flaws in the interest of user safety, as Adobe has no plans to issue additional out of band updates before 27 August.

‘Serious risk’

“Considering that fixing the first twenty four crashes took twelve unique code fixes, it is expected that the remaining crashes might represent around eight more unique problems. Adobe plans to fix these remaining bugs and issue an update for the Linux version of Reader in an upcoming release,” the Google researchers said.

“Though we have no evidence these bugs are being exploited today, we are concerned that functional exploits can be built without much effort based on knowledge derived from binary diffing of the old and newly patched Windows builds.

“Given this, we consider users of Adobe Reader to be exposed to serious risk.

“It is important to note that all discussed vulnerabilities were found using publicly available PDF documents, altered using conceptually trivial mutation algorithms such as bitflipping. Given that, we believe it is very possible that third-parties specializing in bug hunting and vulnerability research may already know of and/or be targeting many of our reported issues.”

Adobe did fix a slew of critical flaws in its software on Tuesday, focusing on  “vulnerabilities in the software that could cause the application to crash and potentially allow an attacker to take control of the affected system.”

The softare giant also removed its Flash Player plugin from the Google Play store yesterday. Flash, as well as Adobe Acrobat, have been beleaguered by security flaws in recent times.

Are you a security expert? Try our quiz!