Update: Adobe issues emergency PDF patches
Researcher questions Adobe's patch delivery consistency
Computerworld - As expected, Adobe today released an emergency update that patched a pair of critical vulnerabilities in its popular PDF viewing and editing software.
Adobe ranked both bugs as critical.
Last Thursday Adobe said it would issue a rush patch for Adobe Reader and Adobe Acrobat on Feb. 16; it made good on the promise today by addressing two flaws. One was identical to the cross-domain request vulnerability fixed last week in Flash Player, Adobe's ubiquitous media player, while the second was a vulnerability that attackers could exploit to install malware on a targeted machine.
The bug related to Flash Player, tagged as CVE-2010-0186 in the Common Vulnerabilities and Exposures (CVE) database, cannot be used to inject malicious code into a system, but could be exploited by information thieves in a cross-site scripting style of attack, said Andrew Storms, director of security operations at nCircle Network Security.
Between Thursday, when Adobe updated Flash Player, and today, when it patched the same flaw in Reader and Acrobat, the latter programs were theoretically vulnerable to attack if an ambitious hacker had pulled apart the Flash patch and managed to figure out where the vulnerability was within Reader. That didn't happen, Storms noted.
It was the second vulnerability, tagged as CVE-2010-0188, that drew his attention. "Adobe credited it to Microsoft," said Storms, "which in itself is interesting." The bug was reported by the Microsoft Vulnerability Research Program (MSVR), where Microsoft security researchers submit flaws they find in third-party software, such as browser plug-ins like Reader.
Microsoft may have found the vulnerability through its own security process, or it may have been reported by a Microsoft customer to the company, which then passed it along to Adobe. The latter declined to say which was the case, but did say it wasn't aware of any in-the-wild exploits of either vulnerability patched today.
What intrigued Storms the most was that today's update was outside the regular quarterly security release schedule Adobe's set its PDF software. "Now we know that there's a vulnerability in Reader and Acrobat, but because Adobe's gone out-of-band it's going to draw attention from researchers. The rush is on to disassemble the patch and reverse-engineer an exploit."
Storms argued that by updating Reader and Acrobat today -- about two months before the next slated update, April 13 -- and not explaining why it went out-of-band, Adobe's actually made the CVE-2010-0188 vulnerability more conspicuous to hackers.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts