Adobe patched a huge number of flaws in its Reader software on Windows and Mac OS X Tuesday, but the problem is there are more flaws that didn’t get fixed.
Google researchers said there are still a number of serious vulnerabilities in the application running on Windows and OS X that Adobe failed to patch and so researchers released limited details on the bugs and some advice for users on how to mitigate the risks from the vulnerabilities.
The Google security team began a project earlier this year to find potentially exploitable crashes in Reader, one of the more widely deployed applications on the Web. The team originally ran the test against Chrome’s embedded PDF reader and come up with more than 50 bugs, ranging in severity from low to high, and reported them to Adobe. The company fixed all of the high and critical severity vulnerabilities in its patch release this week.
The Google team then turned their attention to the Adobe Reader application running on GNU Linux, tossing huge amounts of malformed data at it and came up with 60 crashes. They sent the data to Adobe, but none of the Linux flaws ended up fixed in the patch release Tuesday. Also, the researchers said there are still outstanding vulnerabilities in the Windows and OS X versions of Reader that remain unpatched and they said that attackers may be able to find the flaws independently.
However, the vulnerabilities are in older, non-sandboxed versions of Reader. Users who run Adobe Reader X for Windows, which includes a sandbox to lessen the severity of attacks on certain bugs, are at less of a risk from these remaining vulnerabilities.