Adobe breaks silence on February's PDF bugs

Flaws' severity may have prompted silence, researcher speculates

Three months after acknowledging multiple vulnerabilities in its popular Reader software and then patching the program, Adobe this week finally provided some details about the bugs.

In a security bulletin issued Tuesday, Adobe listed eight vulnerabilities -- most of them critical -- that it patched in early February when it released Reader 8.1.2 and Acrobat 8.1.2. At the time, Adobe had only said it fixed "a number of ... security vulnerabilities" in the two programs; it did not specify how many flaws were fixed, what they were or how attackers might exploit them.

Reader is one of the world's most popular pieces of software, since it's both free and the default PDF viewer for many users.

The secrecy three months ago puzzled security researchers, who noted that Adobe was usually more forthcoming about vulnerabilities. Today, one researcher speculated about the mystery. "I think Adobe thought the severity of the vulnerabilities warranted some secrecy," said Andrew Storms, nCircle's director of security operations. "Six of the eight are in JavaScript. That's not a very difficult attack scenario. It's not as if you have to compile code. And it's going to work on any processor, and on almost any machine."

Even though Adobe disclosed some information about the bugs it fixed in February, the bulletin was still terse. It did not spell out possible attack vectors or even rate the bugs. "These vulnerabilities would cause the application to crash and could potentially allow an attacker to take control of the affected system," was about as far as the bulletin ventured.

Storms agreed that the three-month lag between patching the vulnerabilities and divulging some details was extreme, but noted that many of the flaws went back farther than February. "Some were apparently disclosed [to Adobe by researchers] in late 2007," he said. "There's one from November, and others from September and October."

Some information about the vulnerabilities had already been publicly reported by the researchers who uncovered them -- VeriSign's iDefense, for instance, posted three bulletins in February -- while others waited until this week.

Tuesday, for example, Fortinet posted a short security advisory about the JavaScript vulnerabilities it had reported to Adobe. Early on Wednesday, researcher Frank Ruder posted proof-of-concept exploit code for the Fortinet-found vulnerabilities to several security mailing lists, including Bugtraq and Full Disclosure.

Adobe did acknowledge in Tuesday's security bulletin that there have been reports of in-the-wild exploits of at least one of the eight bugs, but the company stopped short of confirming the fact.

Several days after Adobe patched Reader and Acrobat, security researchers claimed that attackers had been exploiting JavaScript bugs in the programs using malicious PDF (Portable Document Format) files. One researcher said that the attacks had been occurring for several weeks, while another put the infections at "many thousands."

Those attacks, said Storms today, could still be effective, even though Reader and Acrobat have been patched. "We don't have statistics on how many people are still stuck on the Reader 7 code base," he aid.

Reader 8.1.2 can be downloaded from the Adobe Web site or retrieved using the updater bundled with the program.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Gregg Keizer

Gregg Keizer

Computerworld
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?