Update: Adobe Reader patch mystery deepens
Researcher thinks critical bugs may be in third-party installer or updater
Computerworld - The mystery deepened late Wednesday over what Adobe Systems Inc. patched in its free Reader software after an exploit framework vendor claimed it had sniffed out a critical buffer overflow bug and come up with attack code.
Earlier yesterday, Adobe updated Reader to Version 8.1.2, saying that it was quashing "a number of ... security vulnerabilities." But unlike its practice in previous updates to the popular PDF-viewer, the company did not provide any information on the bugs it found and fixed. The only support document listed 27 problems, most of which appeared to be usability issues, but did not call out a single security vulnerability.
The lack of information surprised some security researchers. "Curiously, no further details are available about the security update, which is not the norm for Adobe," said Thomas Kristensen, the chief technology officer at Copenhagen-based vulnerability tracker Secunia APS, in an e-mail Wednesday morning.
Later in the day, Immunity Inc. added proof-of-concept code for an Adobe Reader buffer overflow to its CANVAS penetration testing software, according to the company's Early Updates program page. Kostya Kortchinsky, an Immunity exploit researcher, uncovered the critical vulnerability and wrote the sample attack after reverse engineering the Adobe patch.
Kortchinsky ranked the vulnerability as "highly critical" and said an attack could be launched from a malicious Web site "thanks to a Web page with an embedded PDF object." Or it could be launched from Reader itself if a user could be duped into opening a rigged PDF attachment, he said.
What puzzled security experts, however, was Adobe's silence on the specifics of the bugs it had just patched. Normally, the company is more verbose in its explanations, such as in October 2007, when it patched Reader for a vulnerability that exposed most Windows XP users to exploits in malicious Portable Document Format files.
Wednesday afternoon, Adobe issued a follow-up statement that, while it provided some additional information, still left researchers scratching their heads.
"In addition to addressing bug fixes and providing support for Mac OS X Leopard, the update includes several important security fixes, among them a few of critical severity that could be remotely exploitable," said company spokesman John Cristofano in an e-mail. "Adobe plans to share further information on the topic within a few days via the company's Security Bulletins and Advisories page, at which point the company has completed the process of responsible disclosure with third-party stakeholders," he continued.
Andrew Storms, director of security operations at nCircle Inc., read between the lines and speculated that Adobe was holding information because one of the bugs involved third-party software licensed by Adobe and used by Reader. He based his take on the word "stakeholders" in Cristofano's statement.
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- Cybersecurity Imperatives: Reinvent your Network Security The Rise of CyberSecurity
- Surescripts Case Study- Securing Keys and Certificates Surescripts implemented Venafi's Trust Protection Platform™ to secure digital keys and certificates, ensure the privacy and confidentiality of electronic clinical information for its...
- Ponemon 2014 SSH Security Vulnerability Report According to research by the Ponemon Institute, 3 out of 4 enterprises have no security controls in place for SSH which leaves organizations...
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities.
- Deep Dive into Advanced Networking and Security with Hybrid Cloud Security and networking are among the top concerns when moving workloads to the cloud. VMware vCloud® Hybrid Service™ enables you to extend your... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!