Patch finally here for critical Adobe zero-day
One day ahead of schedule -- but perhaps too late to silence critics -- Adobe on Tuesday delivered a much-anticipated update to its Reader and Acrobat products.Version 9.1 addresses a critical heap overflow vulnerability in the previous version that has been exploited in the wild since the end of last year, Adobe said in a security bulletin.
Updates for version 7 and 8 of Reader and Acrobat are scheduled to be released by March 18 and Adobe Reader 9.1 for Unix is planned for a push-out on March 25, the company said.
On Feb. 19, Adobe notified users about the vulnerability, was being actively exploited in targeted attacks in the wild. However, Adobe said a patch would not be available until March 11.
Brad Arkin, Adobe's director of product security and privacy, told SCMagazineUS.com that the company discovered the flaw on Jan. 16 when one of Adobe's partners in the security community shared a malicious PDF file and said they had seen instances of it in the wild.
Arkin said that from the time the company discovered the vulnerability, fixing it became a top priority. But before the company could issue an update, engineers had to ensure the patch worked on all platforms and languages that Reader supports, and that it did not introduce new issues and functioned as it should.
Some security industry observers weren't satisfied with that explanation.
“Two months seems to be a rather long time to address the issue and it makes me wonder whether Adobe has a setup [in place] to react to security flaws in an out-of-band manner, rather than through normal product cycles,” Wolfgang Kandek, CTO of vulnerability management firm Qualys, told SCMagazineUS.com in an email Wednesday. “Vulnerabilities of such magnitude need to be handled by a dedicated team that has the resources to quickly develop and deploy a fix."
HD Moore, creator of the ethical hacking site Metasploit, said considering its market share, Adobe should have acted sooner.
“What part of ‘your customers are being exploited' do they not understand?” Moore wrote in a Metasploit blog post on Feb. 23.
