Update: Adobe Reader patch mystery deepens
Researcher thinks critical bugs may be in third-party installer or updater
Computerworld - The mystery deepened late Wednesday over what Adobe Systems Inc. patched in its free Reader software after an exploit framework vendor claimed it had sniffed out a critical buffer overflow bug and come up with attack code.
Earlier yesterday, Adobe updated Reader to Version 8.1.2, saying that it was quashing "a number of ... security vulnerabilities." But unlike its practice in previous updates to the popular PDF-viewer, the company did not provide any information on the bugs it found and fixed. The only support document listed 27 problems, most of which appeared to be usability issues, but did not call out a single security vulnerability.
The lack of information surprised some security researchers. "Curiously, no further details are available about the security update, which is not the norm for Adobe," said Thomas Kristensen, the chief technology officer at Copenhagen-based vulnerability tracker Secunia APS, in an e-mail Wednesday morning.
Later in the day, Immunity Inc. added proof-of-concept code for an Adobe Reader buffer overflow to its CANVAS penetration testing software, according to the company's Early Updates program page. Kostya Kortchinsky, an Immunity exploit researcher, uncovered the critical vulnerability and wrote the sample attack after reverse engineering the Adobe patch.
Kortchinsky ranked the vulnerability as "highly critical" and said an attack could be launched from a malicious Web site "thanks to a Web page with an embedded PDF object." Or it could be launched from Reader itself if a user could be duped into opening a rigged PDF attachment, he said.
What puzzled security experts, however, was Adobe's silence on the specifics of the bugs it had just patched. Normally, the company is more verbose in its explanations, such as in October 2007, when it patched Reader for a vulnerability that exposed most Windows XP users to exploits in malicious Portable Document Format files.
Wednesday afternoon, Adobe issued a follow-up statement that, while it provided some additional information, still left researchers scratching their heads.
"In addition to addressing bug fixes and providing support for Mac OS X Leopard, the update includes several important security fixes, among them a few of critical severity that could be remotely exploitable," said company spokesman John Cristofano in an e-mail. "Adobe plans to share further information on the topic within a few days via the company's Security Bulletins and Advisories page, at which point the company has completed the process of responsible disclosure with third-party stakeholders," he continued.
Andrew Storms, director of security operations at nCircle Inc., read between the lines and speculated that Adobe was holding information because one of the bugs involved third-party software licensed by Adobe and used by Reader. He based his take on the word "stakeholders" in Cristofano's statement.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts