Two Google researchers report Adobe for failing to fix various reported vulnerabilities in Adobe Reader in a timely manner and are using the delay as justification to publicize details behind the security holes. The researchers Mateusz Jurczyk and Gynvael Coldwind asserted back in June, reported 46 reproducible crashes in Reader to Adobe.
Now, recently Adobe released new versions of Reader for Windows and Mac OS X that addressed only 25 of the reported critical crashes. The Linux version received no updates. In keeping with Google's vulnerability disclosure policy, the report has made public some details about the remaining vulnerabilities.
Adobe plans to fix the outstanding reported bugs and issue an update for the Linux version of Reader in an upcoming release. But it will take much time for the newer release. According to their post:
“Adobe has confirmed they have no plans to issue additional out-of-band updates before August 27, which is 60 days after we disclosed all bugs. Since the Linux Reader version remains unpatched and the Windows/OS X patches are now available for diffing and reverse engineering, we have decided that it's in the best interest of users to be aware of these security issues without additional delay.”
The Linux Adobe Reader users are recommended to remove the Annots.api and PPKLite.api plug-ins. Beyond the report there are currently no known work-arounds for the remained unpatched vulnerabilities. Their advice: Limit use of Adobe Reader, do not open externally received PDF files, and disable the Adobe Reader browser extension for now. The report also talks about the Sandbox feature of Reader X, which has vanished in the newest versions. Hence the Windows users are also recommended to upgrade from Reader 9.x to Reader X.