Adobe details secret PDF patches
It patched six bugs in Reader, Acrobat updates -- not just the one it acknowledged March 10
Computerworld - Adobe Systems Inc. revealed today that it patched five critical vulnerabilities behind the scenes when it updated its Reader and Acrobat applications earlier this month to fix a bug already under attack.
According to a security bulletin issued today, the updates to Reader 9.1 and Acrobat 9.1 that Adobe delivered on March 10 included patches for not just one bug -- as Adobe indicated at the time -- but for five other vulnerabilities as well.
Foremost among the five were a quartet of bugs in Adobe's handling of JBIG2 compressed images, which was also at the root of the original vulnerability made public in February. When Adobe updated Reader and Acrobat to Version 9.1 two weeks ago, it fixed all five JBIG2 flaws, though it admitted only to the one at the time.
That bug has been used by hackers since at least early January, when they began sending malformed PDF files to users as e-mail attachments.
"The way we always handle this," said Brad Arkin, Adobe's director of product security and privacy, "is, will publicly released information help more users than not releasing the information?" Adobe, said Arkin today, decided the answer was "no," since it had yet to issue updates for all users when it first patched the software on March 10.
The decision was prompted by the staggered release of the Reader and Acrobat updates. Although Adobe patched the Windows and Mac OS X editions of the two apps on March 10, offered updates to the Version 8 line on March 17, and didn't issue Reader 9.1 and Acrobat 9.1 for Unix until today. It also didn't produce a fix for the even-older Version 7 until today.
"With this JBIG security incident, we wanted to patch as soon as possible," said Arkin, "and staggering the updates like we did was going to get the patches to the biggest demographic as soon as possible." More users run Version 9 on Windows and Mac than any other edition of Reader and Acrobat, Arkin added.
The four newly revealed JBIG2 vulnerabilities were reported to Adobe after Symantec Corp. said it had found a new Reader bug in the wild, said Arkin, but there was enough time before the March 10 update deadline to add fixes for them to Version 9.1.
That matches the schedule spelled out by iDefense Labs, a computer security research arm of VeriSign Inc. In its own bulletin today, iDefense said it had notified Adobe of a JBIG2 bug on Feb. 24, and provided the company with proof-of-concept code a day later.
All four of the already-patched JBIG2 bugs were classified by Adobe as critical, and could "lead to remote code execution," according to the bulletin.
The fifth vulnerability detailed today was also critical, and had actually been patched in the Unix edition of Reader 8.1.3 and Acrobat 8.1.3 last November. "That had not been ported over to the other platforms, however," said Arkin, referring to the Windows and Mac versions of the software.
One security researcher said that while he agreed with Adobe's call, the company could have done better at communicating about what it was doing. "It does make some sense if you are forced into doing a staggered release," said Andrew Storms, director of security operations at nCircle Network Security Inc. "There's no sense in exposing users any more than necessary. But what gives us the bad taste is how they aren't being upfront about it now," referring to the security bulletin, which doesn't mention the newly revealed bugs in its summary, but tucks them deeper in the document.
Users who have already updated to Reader or Acrobat 9.1 or 8.1.4 -- the versions pushed out March 10 and 17, respectively -- don't need to take any further action, Adobe's Arkin said, because they're fully patched against all the flaws, including those announced today.
Links to the Reader and Acrobat updates have been posted on Adobe's site.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts