Adobe to patch Reader zero-day bug Thursday
Company knew of critical flaw before Black Hat, says researcher
Computerworld - Adobe said today that it would patch a critical Reader vulnerability on Thursday.
Two weeks ago, Adobe had promised to fix the flaw during the week of Aug. 16 with an emergency, or "out-of-band" security update, but had not slated a specific date.
Computerworld had pegged the likely release date as Aug. 17 based on past Adobe practice of issuing many of its security updates on Tuesdays.
The bug Adobe plans to patch was disclosed by researcher Charlie Miller at last month's Black Hat security conference, when he demonstrated how the open-source BitBlaze toolkit could be used to boost bug-hunting productivity.
Miller, an analyst with Baltimore-based Independent Security Evaluators, is well-known for finding vulnerabilities in Adobe's popular Reader PDF viewer. Last March, Miller showed how a simple fuzzing tool could root out scores of potential bugs in Reader and other software.
Miller said the vulnerability is in Reader's and Acrobat's font parsing, but is not connected with the PDF font parsing flaw exploited by hackers to "jailbreak" Apple's iOS 4 earlier this month. Apple patched the font vulnerability last Wednesday.
On Tuesday, Miller said that Adobe knew of the font bug in Reader and Acrobat before he revealed it at Black Hat.
"Apparently @taviso previously reported to Adobe the Reader 0-day I dropped at BH," Miller said on Twitter. "Haha, ruined his effort at trying to be responsible."
That debate, which resulted in Google and Microsoft proposing changes to how vulnerability researchers report bugs and how vendors react to the reports, centered about "full disclosure" and "responsible disclosure," two competing vulnerability-reporting philosophies.
Miller said in response to a follow-up question that Adobe told him Ormandy had reported the vulnerability before Black Hat.
Thursday's out-of-band update will include fixes for vulnerabilities other than the one Miller uncovered, Adobe has said. The company will also still ship its next regularly-scheduled quarterly update for Reader and Acrobat on Oct. 12.
In the past, Adobe has delayed its quarterly updates when it has issued an emergency patch.
Adobe will publish a security bulletin that includes links to the updated Reader and Acrobat sometime Thursday on its Web site.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
Read more about Application Security in Computerworld's Application Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Riverbed Stingray Application Firewall: Securing Cloud Applications with a Distributed Web Application Firewall Responsibility over IT security is moving away from the network and IT infrastructure and to the application and software architecture itself. IT organizations...
- Web Application Firewalls--Laying the Myths to Rest This paper addresses some of the myths about WAFs and outlines how businesses are optimizing their investment in protecting their ever-evolving web apps.
- PCI DSS Compliance in Cloud Environments This technology analysis addresses the challenges of the evolving cloud security landscape and how organizations can achieve PCI DSS compliance in cloud environments...
- Web Attack Survival Guide This guide will help you protect your organization from external threats targeting your high-value applications and data assets.
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Application Security White Papers | Webcasts