Patch/Configuration Management, Vulnerability Management

Adobe’s PDF vulnerability patched

Security researchers say Adobe's PDF vulnerability, which was fixed Tuesday, is more of a pressing issue than Microsoft's PowerPoint vulnerabilities fixed the same day.

Adobe issued Windows updates for Reader and Acrobat versions 7, 8 and 9 and Macintosh and Unix updates for versions 8 and 9 for a vulnerability in Reader and Acrobat. The company said updates for Adobe Reader and Acrobat 7 for Macintosh are scheduled to be available before the end of June, according to the security bulletin

The vulnerability, which relates to a JavaScript memory corruption error and garnered a "highly critical" rating from Secunia, affects all supported versions on the Windows, Macintosh and Linux platforms. Proof-of-concept code is circulating on the internet, but Adobe representatives said in early May they are not aware of any in-the-wild exploits.

The patch also addresses a second vulnerability in Adobe's Reader for Unix software. 

Microsoft issued a fix for 14 bugs in PowerPoint Tuesday, but researchers say Adobe's vulnerabilities are more pressing than Microsoft's.

Paul Henry, security and forensic analyst for Lumension told SCMagazineUS.com that it is important to remember that historically, files like Adobe PDF's or those in Word, Excel or PowerPoint have been great vehicles for targeted attacks because such attachments seem socially acceptable and are simply expected within corporate email.

The use of PDF files as a vehicle for the delivery of malware gives a hacker an added advantage, Henry said. It is anticipated that anti-virus vendors will create better signatures from the information contained within the patch to identify infected files. The bad guys, however, could simply start obfuscating the current exploit to try to capture any unpatched users.

Henry added that Lumension has found numerous Chinese web sites that were hosting malicious PDF files using the most current vulnerability, a contradiction of Adobe's position.

“Adobe has had a rash of patches come out lately and since Adobe is not covered by Windows update you have to find a way to roll out these patches in enterprises, making it more difficult to get the patches installed,” Eric Schultze, CTO, Shavlik Technologies told SCMagazineUS.com Tuesday.

Since Adobe documents are more common in business than PowerPoint documents, Schultze recommended  users should get the Adobe patch installed first.

Andrew Storms, director of security operations for nCircle told SCMagazineUS.com he agreed that Adobe's issues present a much greater risk to users than the PowerPoint bug.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.