Adobe details secret PDF patches

Computerworld - Adobe Systems Inc. revealed today that it patched five critical vulnerabilities behind the scenes when it updated its Reader and Acrobat applications earlier this month to fix a bug already under attack.

According to a security bulletin issued today, the updates to Reader 9.1 and Acrobat 9.1 that Adobe delivered on March 10 included patches for not just one bug -- as Adobe indicated at the time -- but for five other vulnerabilities as well.

Foremost among the five were a quartet of bugs in Adobe's handling of JBIG2 compressed images, which was also at the root of the original vulnerability made public in February. When Adobe updated Reader and Acrobat to Version 9.1 two weeks ago, it fixed all five JBIG2 flaws, though it admitted only to the one at the time.

That bug has been used by hackers since at least early January, when they began sending malformed PDF files to users as e-mail attachments.

"The way we always handle this," said Brad Arkin, Adobe's director of product security and privacy, "is, will publicly released information help more users than not releasing the information?" Adobe, said Arkin today, decided the answer was "no," since it had yet to issue updates for all users when it first patched the software on March 10.

The decision was prompted by the staggered release of the Reader and Acrobat updates. Although Adobe patched the Windows and Mac OS X editions of the two apps on March 10, offered updates to the Version 8 line on March 17, and didn't issue Reader 9.1 and Acrobat 9.1 for Unix until today. It also didn't produce a fix for the even-older Version 7 until today.

"With this JBIG security incident, we wanted to patch as soon as possible," said Arkin, "and staggering the updates like we did was going to get the patches to the biggest demographic as soon as possible." More users run Version 9 on Windows and Mac than any other edition of Reader and Acrobat, Arkin added.

The four newly revealed JBIG2 vulnerabilities were reported to Adobe after Symantec Corp. said it had found a new Reader bug in the wild, said Arkin, but there was enough time before the March 10 update deadline to add fixes for them to Version 9.1.

That matches the schedule spelled out by iDefense Labs, a computer security research arm of VeriSign Inc. In its own bulletin today, iDefense said it had notified Adobe of a JBIG2 bug on Feb. 24, and provided the company with proof-of-concept code a day later.

All four of the already-patched JBIG2 bugs were classified by Adobe as critical, and could "lead to remote code execution," according to the bulletin.

The fifth vulnerability detailed today was also critical, and had actually been patched in the Unix edition of Reader 8.1.3 and Acrobat 8.1.3 last November. "That had not been ported over to the other platforms, however," said Arkin, referring to the Windows and Mac versions of the software.

One security researcher said that while he agreed with Adobe's call, the company could have done better at communicating about what it was doing. "It does make some sense if you are forced into doing a staggered release," said Andrew Storms, director of security operations at nCircle Network Security Inc. "There's no sense in exposing users any more than necessary. But what gives us the bad taste is how they aren't being upfront about it now," referring to the security bulletin, which doesn't mention the newly revealed bugs in its summary, but tucks them deeper in the document.

Users who have already updated to Reader or Acrobat 9.1 or 8.1.4 -- the versions pushed out March 10 and 17, respectively -- don't need to take any further action, Adobe's Arkin said, because they're fully patched against all the flaws, including those announced today.

Links to the Reader and Acrobat updates have been posted on Adobe's site.

Read more about security in Computerworld's Security Knowledge Center.