DocMedia.NewPlayer -- a situation where an intentionally crafted PDF file could invoke the call, deallocate the memory allocated when the media player is generated, and then execute the code in that de-allocated memory, without need for privilege.
Adobe Reader 9.3 was released today, right on schedule, to address this issue. In the meantime, the company is realizing the changing nature of the platform business, and how Reader/Acrobat and Flash are now just as susceptible to potential attacks as any other platform, including Windows. Interestingly, the cross-platform nature of the Acrobat platform means that Mac users were just as susceptible to this exploit as Windows users.
Meanwhile, beta testers are working on a potential update to today's update: a new version of the Reader that replaces its current updating mechanism. Today, Reader automatically checks for updates whenever it starts. But as Adobe Senior Security Researcher Kyle Randolph blogged this morning, testers are examining the efficacy of an always-resident mechanism instead -- something that could silently update Reader and Acrobat (and perhaps Flash as well) in the background.
"The new updater improves the user experience and helps users stay up to date with the new option of receiving security updates automatically, via background updates, which have been shown to have better patch adoption," Randolph wrote. "Some customers, such as corporate IT administrators, need to know and manage which updates are installed and when. But a lot of customers, particularly consumers and individuals who don't have the autopilot luxury of a managed desktop environment, just want to have the most secure and up-to-date version, and don't want to be interrupted when it is time to install an update. By allowing customers to select an update process that automatically runs in the background, we can help protect more users from attacks against known, patched vulnerabilities."
It would be yet another always-present driver in the system, which in the case of Windows might go against the company's new architecture. Last November at Microsoft's PDC 2009 conference, Technical Fellow Mark Russinovich introduced Windows 7 developers to the Unified Background Process Manager -- a service that leverages the task scheduling system to enable processes to do their jobs and leave memory without staying resident all the time. At the show, Russinovich explained several reasons why this new architecture was not only more efficient, but conceivably more secure.
Adobe already uses one stay-resident utility, Speed Launcher, whose efficacy at performing its stated task has been somewhat variable -- more accurately, Adobe uses one Launcher for Reader and another for Acrobat. Having both on the same Windows XP-based system was the cause of a problem Betanews encountered a few years ago.
By Scott M. Fulton, III, Betanews