Adobe Goes Public Day After Patch Release

Adobe Goes Public Day After Patch Release


A security update for versions of Adobe Reader 8, which some contended was secretly installed, was officially made public on the company's Web site today.

Unbeknownst to most of the security community and general public, Adobe Systems had slipped in a vulnerability patch updating the latest version of Acrobat Reader yesterday that addressed a stack overflow vulnerability. While the company corrected the error with its version 8.1.2, the security bulletin was not immediately made public.

The flaws, which enabled unpatched versions of Reader to potentially crash, affected all previous versions of Reader 8, as well as versions 7.0.9 and prior.

The comprehensive update included several important security fixes, including some with a critical severity rating. The updates also addressed bug fixes and provided support for Mac OS X Leopard through versions 10.5.1. If exploited, the vulnerabilities would have opened up the door for a remote attacker to execute a denial of service attack or infiltrate a system to retrieve sensitive or crucial information.

Secunia, which referred to the patch as a "mysterious security update" due to lack of publicized information, estimates that the vulnerability affected more than 60 percent of users, according to an advisory on its Web site.

Security company Immunity first publicized the security flaw yesterday, which preceded Adobe's bulletin posting today. The Miami-based security vendor reverse engineered the patch during one of its monthly CANVAS early updates, which provides clients up-to-the-minute information on vulnerabilities and proof-of-concept exploits.

"You always have to assume that if our people have found it, then there's someone else out there who's not talking about it and not making it available," said Justine Aitel, Immunity CEO. "If we can do it, you can bet the bad guys are doing it too."

Aitel said that Immunity often runs into companies that silently patch -- a worst case scenario where companies attempt to keep a security flaw under the radar by failing to disclose any repairs -- while conducting routine proof of concept exploit research.

However, Adobe contends that its security bulletin "lagged that push a little bit" for a reason. The San Jose, Calif.-based company maintained that it had not acted covertly -- that rather the security bulletins can be delayed in the interests of acting responsibly. Adobe personnel contend that the bulletins are made public when there is consensus among the research community who helped to discover and patch these vulnerabilities.

"There's a process we go through," said Steve Gottwals, senior product manager for Adobe. "You want to give researchers the proper recognition, proper support and proper engineering channels, so we can have a clear and concise statement."

"We really have to do proper due diligence. It's not just Adobe that's responsible for putting these out," he added.

Adobe recommends that Reader 7 and 8 users upgrade to version 8.1.2 as soon as possible on both Mac and Windows.

All in all, security experts say that it hasn't been a great week for Windows users. In the past few days, security updates have been issued for several popular programs, including Sun Java 1.5, Apple Quicktime Player, and Skype, in addition to Adobe Reader.

Sun Java, which is used on Web sites to provide enhanced content such as games and other features, was recently repaired with a patch for a security hole that enabled computers to be compromised when users surf the Web.

Apple QuickTime, which allows users to view movies or listen to music, was updated with a patch preventing attackers from compromising users' computers.

The recent Skype update implemented security enhancements that protect users' computers when engaging the chat and VoIP features.