Update: Adobe issues emergency PDF patches
Researcher questions Adobe's patch delivery consistency
Computerworld - As expected, Adobe today released an emergency update that patched a pair of critical vulnerabilities in its popular PDF viewing and editing software.
Adobe ranked both bugs as critical.
Last Thursday Adobe said it would issue a rush patch for Adobe Reader and Adobe Acrobat on Feb. 16; it made good on the promise today by addressing two flaws. One was identical to the cross-domain request vulnerability fixed last week in Flash Player, Adobe's ubiquitous media player, while the second was a vulnerability that attackers could exploit to install malware on a targeted machine.
The bug related to Flash Player, tagged as CVE-2010-0186 in the Common Vulnerabilities and Exposures (CVE) database, cannot be used to inject malicious code into a system, but could be exploited by information thieves in a cross-site scripting style of attack, said Andrew Storms, director of security operations at nCircle Network Security.
Between Thursday, when Adobe updated Flash Player, and today, when it patched the same flaw in Reader and Acrobat, the latter programs were theoretically vulnerable to attack if an ambitious hacker had pulled apart the Flash patch and managed to figure out where the vulnerability was within Reader. That didn't happen, Storms noted.
It was the second vulnerability, tagged as CVE-2010-0188, that drew his attention. "Adobe credited it to Microsoft," said Storms, "which in itself is interesting." The bug was reported by the Microsoft Vulnerability Research Program (MSVR), where Microsoft security researchers submit flaws they find in third-party software, such as browser plug-ins like Reader.
Microsoft may have found the vulnerability through its own security process, or it may have been reported by a Microsoft customer to the company, which then passed it along to Adobe. The latter declined to say which was the case, but did say it wasn't aware of any in-the-wild exploits of either vulnerability patched today.
What intrigued Storms the most was that today's update was outside the regular quarterly security release schedule Adobe's set its PDF software. "Now we know that there's a vulnerability in Reader and Acrobat, but because Adobe's gone out-of-band it's going to draw attention from researchers. The rush is on to disassemble the patch and reverse-engineer an exploit."
Storms argued that by updating Reader and Acrobat today -- about two months before the next slated update, April 13 -- and not explaining why it went out-of-band, Adobe's actually made the CVE-2010-0188 vulnerability more conspicuous to hackers.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts