Adobe Reader 9.3 patch addresses critical JavaScript security issue

Usually on a Patch Tuesday, the discussion turns to Microsoft; but amid a very light round of Windows fixes, it's Adobe in the spotlight today. Last month, a serious and potentially easily exploitable vulnerability was found in a JavaScript API call, DocMedia.NewPlayer -- a situation where an intentionally crafted PDF file could invoke the call, deallocate the memory allocated when the media player is generated, and then execute the code in that de-allocated memory, without need for privilege.

Adobe Reader 9.3 was released today, right on schedule, to address this issue. In the meantime, the company is realizing the changing nature of the platform business, and how Reader/Acrobat and Flash are now just as susceptible to potential attacks as any other platform, including Windows. Interestingly, the cross-platform nature of the Acrobat platform means that Mac users were just as susceptible to this exploit as Windows users.

Beyond today's update, Adobe is busy working on non-improvised means for improving its platform users' security long-term. Already last October, it began implementing what it calls the JavaScript Blacklist Framework -- a way for its platforms to maintain actively updated lists of non-trusted sources for executable content. Last month, Adobe advised users to use this Framework to effectively blacklist the API call -- a way of turning off the vulnerable function (which was rarely in use anyway) as an alternative to disabling JavaScript.

Meanwhile, beta testers are working on a potential update to today's update: a new version of the Reader that replaces its current updating mechanism. Today, Reader automatically checks for updates whenever it starts. But as Adobe Senior Security Researcher Kyle Randolph blogged this morning, testers are examining the efficacy of an always-resident mechanism instead -- something that could silently update Reader and Acrobat (and perhaps Flash as well) in the background.

"The new updater improves the user experience and helps users stay up to date with the new option of receiving security updates automatically, via background updates, which have been shown to have better patch adoption," Randolph wrote. "Some customers, such as corporate IT administrators, need to know and manage which updates are installed and when. But a lot of customers, particularly consumers and individuals who don't have the autopilot luxury of a managed desktop environment, just want to have the most secure and up-to-date version, and don't want to be interrupted when it is time to install an update. By allowing customers to select an update process that automatically runs in the background, we can help protect more users from attacks against known, patched vulnerabilities."

It would be yet another always-present driver in the system, which in the case of Windows might go against the company's new architecture. Last November at Microsoft's PDC 2009 conference, Technical Fellow Mark Russinovich introduced Windows 7 developers to the Unified Background Process Manager -- a service that leverages the task scheduling system to enable processes to do their jobs and leave memory without staying resident all the time. At the show, Russinovich explained several reasons why this new architecture was not only more efficient, but conceivably more secure.

Adobe already uses one stay-resident utility, Speed Launcher, whose efficacy at performing its stated task has been somewhat variable -- more accurately, Adobe uses one Launcher for Reader and another for Acrobat. Having both on the same Windows XP-based system was the cause of a problem Betanews encountered a few years ago.