Unpatched PDF bug poses growing threat, say researchers
Recent exploits evade Adobe's countermeasures; patch not ready
Computerworld - An unpatched bug in popular PDF viewing and editing applications is much more dangerous than first thought, according to security researchers who have created exploits that sidestep Adobe's defensive recommendations.
Adobe Systems Inc. has known about the vulnerability in its Reader and Acrobat software since mid-January, but will not patch the problem until next Wednesday, March 11.
The bug first made news two weeks ago, when Adobe confirmed the problem and pegged it as critical. Within days, other reports surfaced that in-the-wild attacks have exploited the flaw since early January.
"Under the right circumstances, a Windows Explorer Shell Extension will read the PDF document to provide extra information, and in doing so, it will execute the buggy code and trigger the vulnerability ... just like it would when you would explicitly open the document," Stevens said in a blog post.
Arkin also defended Adobe's patching pace, which has come under fire as being too sluggish. "We were contacted by one of our partners on Jan. 16 when they shared an exploit that they had found in the wild," he said. "That kicked off our investigation and we began working on a fix immediately."
Adobe plans to patch Reader and Acrobat 9 next week, and will follow that with fixes for Versions 7 and 8 of both applications on March 18. "We're doing everything we can, and we intend [meet] to those deadlines," said Arkin.
Adobe has said it will post a notification on its security site when it issues patches next week.
Read more about Security in Computerworld's Security Topic Center.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts