Das Standard-Programm zur Darstellung von PDF-Dateien, der Reader von Adobe, hat kürzlich das angekündigte Update auf Version 9.3.2 bzw. 8.2.2 erfahren.
Das Update behebt 15, teils kritische, Sicherheitslücken und viele weitere Fehler. Das PDF-Format wird inzwischen erheblich für Angriffe auf User verwendet, indem kompromittierender Schadcode in die Dateien eingefügt wird. Laut Erhebungen des Anti-Viren Software-Herstellers F-Secure im Sommer des letzten Jahres soll das PDF-Format mittlerweile sogar der Träger Nummer 1 sein, wenn es darum geht Schadcode "an den Mann zu bringen".
Der aktuelle Adobe Reader läuft unter Windows ab Windows 2000 SP4, Mac OS X und Linux/UNIX. Eine schlanke Alternative ist Foxit Reader.
Quelle: F-Secure
Hinweis:
Adobe veröffentlich nur größere Produktaktualisierungen als Setup-Dateien für Windows und OS X. Bei einer Neuinstallation muss so zuerst die Version 9.3 respektive 8.2 installiert und diese dann manuell oder über das Internet aktualisiert werden.
Changelog:
Adobe Reader 9.3.2 bzw. 8.2.2 beinhalten Sicherheitsverbesserungen, die im Security Bulletin APSB10-09 beschrieben werden:
This update resolves a cross-site scripting vulnerability that could lead to code execution (CVE-2010-0190).
This update resolves a prefix protocol handler vulnerability that could lead to code execution (CVE-2010-0191).
This update resolves a denial of service vulnerability; arbitrary code execution has not been demonstrated, but may be possible (CVE-2010-0192).
This update resolves a denial of service vulnerability; arbitrary code execution has not been demonstrated, but may be possible (CVE-2010-0193).
This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-0194).
This update resolves a font handling vulnerability that could lead to code execution (CVE-2010-0195).
This update resolves a denial of service vulnerability; arbitrary code execution has not been demonstrated, but may be possible (CVE-2010-0196).
This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-0197).
This update resolves a buffer overflow vulnerability that could lead to code execution (CVE-2010-0198).
This update resolves a buffer overflow vulnerability that could lead to code execution (CVE-2010-0199).
This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-0201).
This update resolves a buffer overflow vulnerability that could lead to code execution (CVE-2010-0202).
This update resolves a buffer overflow vulnerability that could lead to code execution (CVE-2010-0203).
This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-0204).
This update resolves a heap-based overflow vulnerability that could lead to code execution (CVE-2010-1241).
In dieser Version wurden die folgenden Probleme behoben:
PDF Maker
2560751: Word document uploaded on the acrobat.com service runs into a timeout situation
Viewer
2558546: Loading pdf multiple times in same process caused memory leak in windows browsers
Security
2468381: Watermark visibility remains unchanged for a policy protected document (with watermark) when using it as background or foreground
2501756: Long term validation data for the OSCP response is not being embedded in the signature at signing time which results in invalid signatures that should be valid.
2518893: PPKlite plugin crashes when validating digital signatures
3D
2460950: Reader in the browser crashes when viewing some PDF files
2525795: Performance degradation experienced after setting preferences to "Render points as cross-hairs when opening a PDF file
Trust Manager
2537842: A PDF file trusted for Javascript still shows the Yellow bar and does not execute the javascript
2537849: When a PDF is added as a privileged location in Enhanced Security, Acrobat deletes the entry 'cAlwaysTrustedForJavaScript' under Key-\TrustManager\cTrustedFolders\
2558503: Adding a privileged location host from the Options button on the JavaScript injection Yellow Message Bar populates 1/2 of the privileged location keys it should.
2558529: bDisableTrustedSites and bDisableTrusted folders does not consistently prevent Options button from appearing on Yellow Message Bar for certain workflows.
2553890: Reader removes the “cAlwaysTrustedForJavaScript” value and places it in the “cUnsafeJavaScript” key with the same value when the same exact web site value is place in the Trusted Hosts UI for Enhanced Security
Diesen Artikel bookmarken oder senden an ...
