Not too long ago, Microsoft regularly bore harsh criticism from security observers for its perceived lack of openness and response regarding major product vulnerabilities. With Redmond's patch process significantly revamped, Adobe, it seems, now has assumed the role of industry punching bag.
On Feb. 19, when Adobe disclosed a gaping hole in its Reader and Acrobat software, attackers already had, since late last year, been using specially crafted PDFs to exploit the flaw in targeted attacks. But the San Jose, Calif. company told users they'd have to wait until March 11 – another three weeks – for a fix.
This sparked a debate among the security community about responsible disclosure and caused some to question why Reader has become the one-size-fits-all PDF viewer for businesses.
HD Moore, creator of the ethical hacking site Meta-sploit, said that considering its market share, Adobe should have acted faster.
“They could have been much more responsive and at least issued a temporary patch until they issued a full patch,” Moore said.
Brad Arkin, Adobe's director of product security and privacy, said that one of the important considerations when dealing with a new bug is striking a balance.
“We felt that if we put an advisory out, it would make information more widespread among users, but it would have informed more bad guys about the problem.”
As a workaround, Adobe advised users to disable JavaScript until the patch was issued, but admitted this did not eliminate all risk.
Mikko Hypponen, chief research officer at F-Secure, said the long delay would not have been an issue if businesses didn't rely on Adobe's products as the de facto standard for viewing PDFs.
“There are alternatives, and they are all faster, smaller and more secure,” Hypponen said.
He admitted, though, that other PDF readers don't necessarily have fewer holes, but are used less prevalently, and thus targeted less.
– Angela Moscaritolo
Editor's note: This vulnerability was patched with an update, Adobe Reader and Acrobat v9.1, issued on March 10.
