Adobe promises patch for zero-day PDF bug by next Tuesday

That's also Microsoft's monthly patch day for May

Adobe has promised to patch the newest zero-day vulnerability in its popular Adobe Reader software no later than next Tuesday, potentially adding another update to the month's busiest patch day for the second time in three months.

May 12 is also Microsoft's regularly-scheduled monthly Patch Tuesday.

On Friday, Adobe's security team announced that it would issue updates to Adobe Reader and Acrobat -- versions 9.x, 8.x and 7.x for Windows, 9.x and 8.x for Mac and Linux -- by next Tuesday.

"We are in the process of fixing the issue," said David Lenoe, the company's security program manager, in a blog post, referring to the unpatched Reader bug that Adobe acknowledged April 28.

"Additionally, we have confirmed the second vulnerability (CVE-2009-1493) for Adobe Reader for Unix," he added, referencing a second bug that was reported last week.

"This issue will be resolved in the upcoming Adobe Reader for Unix updates. Currently, we have not been able to reproduce an exploitable scenario for Windows and Macintosh, but we will continue to investigate."

In lieu of a patch, Adobe had earlier urged users to disable JavaScript in Reader and Acrobat to protect against attack. Both vulnerabilities -- the first, which affects Adobe's Windows, Mac and Linux software, and the second that apparently only affects Linux -- have gone public with supporting proof-of-concept attack code.

Adobe's pace has quickened since the last Reader zero-day vulnerability. Adobe acknowledged a critical bug on Feb. 19, but waited until Feb. 24 to recommend disabling JavaScript and fixed the flaw on March 10 for Reader and Acrobat 9.x on Windows and Mac. Although the 9.x fix was to release March 11, Adobe finished its work and unveiled it a day early, even though that was also Microsoft's patch day for the month.

Adobe didn't complete its patching until March 24, when it delivered updates for Linux and Solaris, putting the bug's window of vulnerability at between 19 and 33 days.

By comparison, if Adobe patches next Tuesday, the window for the newest flaw would be only 14 days.

"Their timing is the silver cloud," agreed Andrew Storms, director of security operations at nCircle Network Security Inc. "But it's difficult to see through that cloud."

Storms, who has been critical of Adobe's security process, remained so today. Not only has Adobe set the Reader patch for the same day that Microsoft will roll out it own fixes, but the paucity of information and the lack of security management tools from Adobe continues to frustrate Storms.

"We've been trying to figure out ways to roll out [Adobe's] mitigation of disabling JavaScript," Storms said. "We're trying to find an easy way to deploy that setting change, and then pull that out when the patch arrives, but we're still grappling with that. Plus, we don't even have a real sense for what the risk is looking like now."

Storms contrasted the lack of information, and lack of a tool to automate the process of disabling Reader's JavaScript, with Microsoft's clear-cut directions for vulnerabilities in, say, an Internet Explorer ActiveX control.

"If Adobe had said, here's the risk and here's a way to do this [mitigation] quickly in the enterprise, we'd be talking about a different story," Storms argued. "But they don't give us that information up front."

Adobe wasn't able to immediately answer several questions about the impending patch, including whether the faster pace is a result of more resources devoted to the fix or a side effect of the nature of the vulnerability itself.

Storms thinks he knows: "My guess is that they took some heat last time, and they put more resources on it," he said.

"You can't really criticize software for having bugs, because all software was bugs," Storms added. "But you can [criticize a vendor] for its entire security lifecycle and its lack of tools. That's what makes a difference. Are they going to be on your [security] team or not depends on how they respond to a vulnerability and how they deal with it."

According to Adobe's security advisory, no in-the-wild exploits have been reported targeting the two unpatched vulnerabilities.

Join the PC World newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags exploits and vulnerabilitiesadobepdf bugzero day exploit

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?