Update: Adobe Reader patch mystery deepens

Computerworld - The mystery deepened late Wednesday over what Adobe Systems Inc. patched in its free Reader software after an exploit framework vendor claimed it had sniffed out a critical buffer overflow bug and come up with attack code.

Earlier yesterday, Adobe updated Reader to Version 8.1.2, saying that it was quashing "a number of ... security vulnerabilities." But unlike its practice in previous updates to the popular PDF-viewer, the company did not provide any information on the bugs it found and fixed. The only support document listed 27 problems, most of which appeared to be usability issues, but did not call out a single security vulnerability.

The lack of information surprised some security researchers. "Curiously, no further details are available about the security update, which is not the norm for Adobe," said Thomas Kristensen, the chief technology officer at Copenhagen-based vulnerability tracker Secunia APS, in an e-mail Wednesday morning.

Later in the day, Immunity Inc. added proof-of-concept code for an Adobe Reader buffer overflow to its CANVAS penetration testing software, according to the company's Early Updates program page. Kostya Kortchinsky, an Immunity exploit researcher, uncovered the critical vulnerability and wrote the sample attack after reverse engineering the Adobe patch.

Kortchinsky ranked the vulnerability as "highly critical" and said an attack could be launched from a malicious Web site "thanks to a Web page with an embedded PDF object." Or it could be launched from Reader itself if a user could be duped into opening a rigged PDF attachment, he said.

What puzzled security experts, however, was Adobe's silence on the specifics of the bugs it had just patched. Normally, the company is more verbose in its explanations, such as in October 2007, when it patched Reader for a vulnerability that exposed most Windows XP users to exploits in malicious Portable Document Format files.

Wednesday afternoon, Adobe issued a follow-up statement that, while it provided some additional information, still left researchers scratching their heads.

"In addition to addressing bug fixes and providing support for Mac OS X Leopard, the update includes several important security fixes, among them a few of critical severity that could be remotely exploitable," said company spokesman John Cristofano in an e-mail. "Adobe plans to share further information on the topic within a few days via the company's Security Bulletins and Advisories page, at which point the company has completed the process of responsible disclosure with third-party stakeholders," he continued.

Andrew Storms, director of security operations at nCircle Inc., read between the lines and speculated that Adobe was holding information because one of the bugs involved third-party software licensed by Adobe and used by Reader. He based his take on the word "stakeholders" in Cristofano's statement.