Update: Adobe Reader patch mystery deepens
Researcher thinks critical bugs may be in third-party installer or updater
Computerworld - The mystery deepened late Wednesday over what Adobe Systems Inc. patched in its free Reader software after an exploit framework vendor claimed it had sniffed out a critical buffer overflow bug and come up with attack code.
Earlier yesterday, Adobe updated Reader to Version 8.1.2, saying that it was quashing "a number of ... security vulnerabilities." But unlike its practice in previous updates to the popular PDF-viewer, the company did not provide any information on the bugs it found and fixed. The only support document listed 27 problems, most of which appeared to be usability issues, but did not call out a single security vulnerability.
The lack of information surprised some security researchers. "Curiously, no further details are available about the security update, which is not the norm for Adobe," said Thomas Kristensen, the chief technology officer at Copenhagen-based vulnerability tracker Secunia APS, in an e-mail Wednesday morning.
Later in the day, Immunity Inc. added proof-of-concept code for an Adobe Reader buffer overflow to its CANVAS penetration testing software, according to the company's Early Updates program page. Kostya Kortchinsky, an Immunity exploit researcher, uncovered the critical vulnerability and wrote the sample attack after reverse engineering the Adobe patch.
Kortchinsky ranked the vulnerability as "highly critical" and said an attack could be launched from a malicious Web site "thanks to a Web page with an embedded PDF object." Or it could be launched from Reader itself if a user could be duped into opening a rigged PDF attachment, he said.
What puzzled security experts, however, was Adobe's silence on the specifics of the bugs it had just patched. Normally, the company is more verbose in its explanations, such as in October 2007, when it patched Reader for a vulnerability that exposed most Windows XP users to exploits in malicious Portable Document Format files.
Wednesday afternoon, Adobe issued a follow-up statement that, while it provided some additional information, still left researchers scratching their heads.
"In addition to addressing bug fixes and providing support for Mac OS X Leopard, the update includes several important security fixes, among them a few of critical severity that could be remotely exploitable," said company spokesman John Cristofano in an e-mail. "Adobe plans to share further information on the topic within a few days via the company's Security Bulletins and Advisories page, at which point the company has completed the process of responsible disclosure with third-party stakeholders," he continued.
Andrew Storms, director of security operations at nCircle Inc., read between the lines and speculated that Adobe was holding information because one of the bugs involved third-party software licensed by Adobe and used by Reader. He based his take on the word "stakeholders" in Cristofano's statement.
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts