Update: Adobe Reader patch mystery deepens

Researcher thinks critical bugs may be in third-party installer or updater

The mystery deepened late Wednesday over what Adobe Systems Inc. patched in its free Reader software after an exploit framework vendor claimed it had sniffed out a critical buffer overflow bug and come up with attack code.

Earlier yesterday, Adobe updated Reader to Version 8.1.2, saying that it was quashing "a number of ... security vulnerabilities." But unlike its practice in previous updates to the popular PDF-viewer, the company did not provide any information on the bugs it found and fixed. The only support document listed 27 problems, most of which appeared to be usability issues, but did not call out a single security vulnerability.

The lack of information surprised some security researchers. "Curiously, no further details are available about the security update, which is not the norm for Adobe," said Thomas Kristensen, the chief technology officer at Copenhagen-based vulnerability tracker Secunia APS, in an e-mail Wednesday morning.

Later in the day, Immunity Inc. added proof-of-concept code for an Adobe Reader buffer overflow to its CANVAS penetration testing software, according to the company's Early Updates program page. Kostya Kortchinsky, an Immunity exploit researcher, uncovered the critical vulnerability and wrote the sample attack after reverse engineering the Adobe patch.

Kortchinsky ranked the vulnerability as "highly critical" and said an attack could be launched from a malicious Web site "thanks to a Web page with an embedded PDF object." Or it could be launched from Reader itself if a user could be duped into opening a rigged PDF attachment, he said.

What puzzled security experts, however, was Adobe's silence on the specifics of the bugs it had just patched. Normally, the company is more verbose in its explanations, such as in October 2007, when it patched Reader for a vulnerability that exposed most Windows XP users to exploits in malicious Portable Document Format files.

Wednesday afternoon, Adobe issued a follow-up statement that, while it provided some additional information, still left researchers scratching their heads.

"In addition to addressing bug fixes and providing support for Mac OS X Leopard, the update includes several important security fixes, among them a few of critical severity that could be remotely exploitable," said company spokesman John Cristofano in an e-mail. "Adobe plans to share further information on the topic within a few days via the company's Security Bulletins and Advisories page, at which point the company has completed the process of responsible disclosure with third-party stakeholders," he continued.

Andrew Storms, director of security operations at nCircle Inc., read between the lines and speculated that Adobe was holding information because one of the bugs involved third-party software licensed by Adobe and used by Reader. He based his take on the word "stakeholders" in Cristofano's statement.

"It sounds like one of the vulnerabilities involves third-party software within Adobe Reader, maybe an installer or updater. I think that's the most likely explanation."

Storms believes that Adobe may be giving other companies which license the flawed third-party component a chance to fix their programs. "If the vulnerability is in a third-party product that this other [unnamed] company has sold or licensed, if Adobe disclosed [information] it may mean that other vendors' products would be vulnerable."

Kortchinsky, meanwhile, said that a more robust version of the Immunity exploit is in the works. "CANVAS Early Updates will be updated with a fully working exploit soon."

On Thursday, Adobe added a security advisory to its Web site, but that alert did not provide any new information or additional details on the vulnerabilities that had been patched.

The new Reader, which can be downloaded from the Adobe Web site or retrieved using the updater bundled with Reader, targets Windows 2000, Windows XP, Windows Vista, Windows Server 2003, and Mac OS X 10.4.3 and later.

Copyright © 2008 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon