Adobe Skips Some Reader Patches with Latest Update
A Google security team is warning that Adobe has passed on fixing a number of vulnerabilities in its Reader software for viewing PDF documents.
Adobe released a new version of Reader on Tuesday that fixed about 20 vulnerabilities in the Mac and Windows versions of the product. Despite the large number of flaws addressed in the patches, a number of serious vulnerabilities remained untouched, according to an analysis released on Wednesday by Mateusz Jurczyk and Gynvael Coldwind of Google.
Google's interest in Reader is the result of having the PDF viewer embedded in the search engine's Chrome browser. Earlier this year, the Google team started testing the application for exploitable bugs exposed through crashes of the viewer.
While Adobe fixed vulnerabilities rated high and critical, lesser flaws were untouched. "Unfortunately, 16 more crashes affecting Windows, OS X, or both systems remain unpatched," the Google security team said.
Adobe acknowledged receiving a list of bugs from Google in late June and tackling "around 75 percent of the issues in the short time since the report came in."
"We plan to address the remaining issues in the next release of Adobe Reader and Acrobat," Adobe spokeswoman Wiebke Lips told CSO Online by email. "Adobe is not aware of any exploits in the wild for any of the issues reported by Google," she said.
Google's policy is to give application developers 60 days to fix vulnerabilities before exposing the flaws. On June 21 and June 27, Google notified Adobe of a total of 60 reproducible crashes related to Reader bugs. Not all the flaws were serious security risks.