Update: Adobe issues emergency PDF patches
Researcher questions Adobe's patch delivery consistency
Computerworld - As expected, Adobe today released an emergency update that patched a pair of critical vulnerabilities in its popular PDF viewing and editing software.
Adobe ranked both bugs as critical.
Last Thursday Adobe said it would issue a rush patch for Adobe Reader and Adobe Acrobat on Feb. 16; it made good on the promise today by addressing two flaws. One was identical to the cross-domain request vulnerability fixed last week in Flash Player, Adobe's ubiquitous media player, while the second was a vulnerability that attackers could exploit to install malware on a targeted machine.
The bug related to Flash Player, tagged as CVE-2010-0186 in the Common Vulnerabilities and Exposures (CVE) database, cannot be used to inject malicious code into a system, but could be exploited by information thieves in a cross-site scripting style of attack, said Andrew Storms, director of security operations at nCircle Network Security.
Between Thursday, when Adobe updated Flash Player, and today, when it patched the same flaw in Reader and Acrobat, the latter programs were theoretically vulnerable to attack if an ambitious hacker had pulled apart the Flash patch and managed to figure out where the vulnerability was within Reader. That didn't happen, Storms noted.
It was the second vulnerability, tagged as CVE-2010-0188, that drew his attention. "Adobe credited it to Microsoft," said Storms, "which in itself is interesting." The bug was reported by the Microsoft Vulnerability Research Program (MSVR), where Microsoft security researchers submit flaws they find in third-party software, such as browser plug-ins like Reader.
Microsoft may have found the vulnerability through its own security process, or it may have been reported by a Microsoft customer to the company, which then passed it along to Adobe. The latter declined to say which was the case, but did say it wasn't aware of any in-the-wild exploits of either vulnerability patched today.
What intrigued Storms the most was that today's update was outside the regular quarterly security release schedule Adobe's set its PDF software. "Now we know that there's a vulnerability in Reader and Acrobat, but because Adobe's gone out-of-band it's going to draw attention from researchers. The rush is on to disassemble the patch and reverse-engineer an exploit."
Storms argued that by updating Reader and Acrobat today -- about two months before the next slated update, April 13 -- and not explaining why it went out-of-band, Adobe's actually made the CVE-2010-0188 vulnerability more conspicuous to hackers.
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- Top Tips for Securing Big Data Environments: Why Big Data Doesn't Have to Mean Big Security Challenges Organizations must come to terms with the security challenges they introduce. As big data environments ingest more data, organizations will face significant risks...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!