By Richi Jennings. August 20, 2010.
Adobe has released "emergency" patches for critical vulnerabilities in Flash Player, Acrobat and Acrobat Reader. The out-of-band fixes are available to download now. In IT Blogwatch, bloggers rush to protect themselves from non-existent exploits.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention how to make Justin Bieber sound incredible...
Gregg Keizer has history:
The bug ... was disclosed by researcher Charlie Miller at last month's Black Hat security conference. ... [He] is well-known for finding vulnerabilities in Adobe's popular Reader PDF viewer. ... Miller said that Adobe knew of the font bug in Reader and Acrobat before he revealed it.
...The vulnerability is in Reader's and Acrobat's font parsing, but is not connected with the ... flaw exploited by hackers to "jailbreak" Apple's iOS 4 earlier this month. ... Thursday's out-of-band update will include fixes for vulnerabilities other than [this].
John Leyden mentions another patched vulnerability:
Vulnerable versions of Acrobat bundle an at-risk version of Flash Player. ... Attacks against Adobe's applications are second only to Microsoft as the favourite target for hackers. ... The software maker's frequent security updates are a little hard to stomach as a result.
...Updates for Adobe Reader 9.3.3 for Windows, Macintosh and Unix ... as well as cross-platform patches for Adobe Reader 8.2.3 and Acrobat 8.2.3 - earlier but still supported versions. ... Thursday will also mark the availability of a cross-platform update for Adobe Flash Player 10.1.53.64.
Ryan Naraine notes others' involvement:
Millers presentation did not include technical details of the flaw but attendees were able to piece together clues.
...Adobe confirmed that this update fixes that Black Hat vulnerability. Googles Tavis Ormandy is credited with reporting the flaw. Miller was not credited in Adobes advisory.
But Gareth Halfacree worries about Adobe's image:
The vulnerabilities ... are thought to be so critical that Adobe has decided to ditch its usual patch release cycle.
...While an out-of-cycle patch is the quickest way to get its users protected, Adobe risks angering system administrators who now have to find time to test and deploy a critical software modification.
Meanwhile, Tony Bradley has a suggestion for big A:
Hopefully, in the future Adobe will provide more details about ... the flaws and how they can ... be exploited, as well as mitigations that can prevent attack in lieu of applying the update. IT admins need such information to allow for proper risk analysis and ... in cases where a system can not be patched for some reason.
...Adobe also stressed that it is not aware of any exploits in the wild ... and that this release does not affect the date of the next scheduled quarterly update--which remains October 12, 2010. ... The implementation earlier this year of an updater utility to automate patching for Adobe products, combined with efforts to build more security measures such as sandboxing into future product releases ... demonstrate Adobe's commitment to security.
Don't miss out on IT Blogwatch:
|Richi Jennings is an independent analyst/consultant, specializing in blogging, email, and security. A cross-functional IT geek since 1985, you can follow him as @richi on Twitter, pretend to be richij's friend on Facebook, or just use good old email: email@example.com.|
You can also read Richi's full profile and disclosure of his industry affiliations.