March 11, 2009

Patch finally here for critical Adobe zero-day

One day ahead of schedule -- but perhaps too late to silence critics -- Adobe on Tuesday delivered a much-anticipated update to its Reader and Acrobat products.

Version 9.1 addresses a critical heap overflow vulnerability in the previous version that has been exploited in the wild since the end of last year, Adobe said in a security bulletin.

Updates for version 7 and 8 of Reader and Acrobat are scheduled to be released by March 18 and Adobe Reader 9.1 for Unix is planned for a push-out on March 25, the company said.

On Feb. 19, Adobe notified users about the vulnerability, was being actively exploited in targeted attacks in the wild. However, Adobe said a patch would not be available until March 11.

Brad Arkin, Adobe's director of product security and privacy, told SCMagazineUS.com that the company discovered the flaw on Jan. 16 when one of Adobe's partners in the security community shared a malicious PDF file and said they had seen instances of it in the wild.

Arkin said that from the time the company discovered the vulnerability, fixing it became a top priority. But before the company could issue an update, engineers had to ensure the patch worked on all platforms and languages that Reader supports, and that it did not introduce new issues and functioned as it should. 

Some security industry observers weren't satisfied with that explanation.

“Two months seems to be a rather long time to address the issue and it makes me wonder whether Adobe has a setup [in place] to react to security flaws in an out-of-band manner, rather than through normal product cycles,” Wolfgang Kandek, CTO of vulnerability management firm Qualys, told SCMagazineUS.com in an email Wednesday. “Vulnerabilities of such magnitude need to be handled by a dedicated team that has the resources to quickly develop and deploy a fix."

HD Moore, creator of the ethical hacking site Metasploit, said considering its market share, Adobe should have acted sooner.

“What part of ‘your customers are being exploited' do they not understand?” Moore wrote in a Metasploit blog post on Feb. 23.
Related Articles
Related Topics
Related Links
close

Next Article in News

More in News

Privacy-bolstering "Apps Act" introduced in House

The bill would provide consumers nationwide with similar protections already enforced by a California law.

Microsoft readies permanent fix for Internet Explorer bug used in energy attacks

Microsoft is prepping a whopper of a security update that will close 33 vulnerabilities, likely including an Internet Explorer (IE) flaw that has been used in targeted website attacks against the U.S. government.

Weakness in Adobe ColdFusion allowed court hackers access to 160K SSNs

Up to 160,000 Social Security numbers and one million driver's license numbers may have been accessed by intruders.