Adobe delays Reader patch as attacks spread, exploit code goes public
Will patch Flash June 10, slates Reader fix for June 29 to minimize update 'churn'
Computerworld - Adobe will patch a critical Flash bug on Thursday, but has decided to postpone a fix for an associated flaw in the Reader PDF viewer until the end of the month, the company said late Monday.
The vulnerability is already being exploited by hackers using rigged PDF documents, several antivirus firms said. Exploit code has also been publicly posted to the Internet.
On Friday, Adobe acknowledged the bug in Flash, Reader and Acrobat, and confirmed that attackers are already putting it to use. The company promised a patch, but until Monday had not set a schedule for its release.
"The security update for Flash Player will be available by June 10, 2010," said Brad Arkin, Adobe's director of security and privacy, in a post to company blog. "The security update for Adobe Reader and Acrobat will be available by June 29, 2010."
Arkin said his team had considered a rush patch for Reader and Acrobat as well, but rejected the idea because of an impending update already scheduled for July 13, part of Adobe's quarterly patch process for Reader and Acrobat.
"Two patches within three weeks would have incurred too much churn and patch management overhead on our users, in particular for customers with large managed environments," Arkin said.
Instead, Adobe will move up the already-slated July 13 quarterly patch release to June 29, and include a fix for the zero-day flaw in that batch.
Earlier, Adobe had modified its security advisory, first issued last week, to recommend steps that Mac and Linux users could take to help protect themselves against PDF-based attacks. Like the recommendations for Windows users, they involved deleting the "authplay" component, or moving it from its usual location. Authplay -- on Windows it's dubbed "authplay.dll," while on the Mac it's called "authplay.lib" -- is the interpreter that handles Flash content embedded within PDF files.
Andrew Storms, the director of security operations at nCircle Security, agreed with Adobe's move. "I would certainly put Flash on the top of my list to address first," he said in an instant message exchange Tuesday. "The likely attack vectors with Flash would tend to be of fewer human interaction and thus should be tackled first."
Flash attacks could be launched in "drive-by" attacks that need only entice users to visit malicious Web sites, which would host malformed media files.
Storms, a frequent critic of Adobe's security failures, also backed Arkin's decision to wait until the end of June to update Reader and Acrobat. "I can understand the desire to not put out back-to-back-to-back releases inside of two months," he said. "That would be a drain on Adobe and end users."
Several major antivirus vendors, including Trend Micro and Symantec, have spotted in-the-wild attacks exploiting the zero-day. Most of the attacks have come in malicious PDF documents.
"We have confirmed that the attack involves "Trojan.Pidief.J," which is a PDF file that drops a backdoor Trojan onto the compromised computer if [Reader or Acrobat] is already installed," said Symantec researcher Joji Hamada in a note on the company's site Monday.
Symantec has also spotted Flash-based attacks using malicious media files embedded in HTML code on hacker sites.
"The attacks seem limited at this point," Hamada added. "However, other cyber criminals may jump on the bandwagon to take advantage of the vulnerability in the very near future."
If that happens, Adobe may be stuck between a rock and a hard place, said Storms. "They aren't giving themselves any space in case the attack vectors switch or increase whereby they may need to accelerate even further," he said.
To make Adobe's job tougher, attack code has gone public, according to HD Moore, chief security officer at Rapid7 and the creator of the well-known Metasploit hacking toolkit. " Exploit for the new Adobe Flash 0-Day should [be] added to Metasploit soon, based on this public sample," Moore said on Twitter Tuesday.
For some security experts, Metasploit is an attack barometer; when an exploit for a vulnerability is added to the penetration testing framework, the volume of attacks often jumps.
"All the better reason for Adobe to get that patch process into high gear," said Storms.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.
Read more about Security in Computerworld's Security Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts