Patch Critical Security Flaws in Adobe Reader and Acrobat
By Tony Bradley, PCWorld
As previously announced, Adobe has released an out-of-band update for Reader and Acrobat that addresses vulnerabilities revealed at the Black Hat security conference last month. The update is rated as Critical and should be applied immediately to affected systems.
According to a post on the Adobe Product Security Incident Response Team (PSIRT) blog, “The updates address critical security issues in the products, including CVE-2010-2862 discussed at the recent Black Hat USA 2010 security conference and vulnerabilities addressed in the August 10 Adobe Flash Player update as noted in Security Bulletin APSB10-16. Adobe recommends that users apply the updates for their product installations.”
Adobe also stressed that it is not aware of any exploits in the wild for the any of the issues addressed in this security bulletin, and that this release does not affect the date of the next scheduled quarterly update–which remains October 12, 2010.
Apparently, I have misstated the scope of the quarterly update cycle in the past, though. An Adobe spokesperson contacted me to clarify Adobe’s process, explaining “the quarterly update cycle is specific to Adobe Reader and Acrobat. Other Adobe product teams work with Adobe’s Secure Software Engineering Team (ASSET) to deliver updates as appropriate–cycles may be different from the patch cycle for Adobe Reader and Acrobat.”
Andrew Storms, Director of Security Operations for nCircle, commented on the Adobe bulletin. “Adobe has definitely improved their release mechanism. This time they sent a communication stating that they would deliver an out-of-band patch. Unfortunately, since the first announcement, the exact date for the release has changed, leaving enterprise security teams scratching their heads,” adding “Adobe’s initial inability to provide an exact release date leaves a lot of users feeling queasy about their release engineering cycle.”
Storms also feels that the details and guidance from Adobe leave a little to be desired “Adobe still has a long way to go in providing useful details with their security bulletins, especially compared with other vendors. As usual, this one lacks useful details and mitigation information.”
As Storms noted, though, Adobe is improving. The Adobe spokesperson commented “given the relative ubiquity and cross-platform reach of many of our products, in particular our clients, Adobe has attracted–and will likely continue to attract–increasing attention from attackers. However, Adobe employs industry-leading security software engineering practices and processes in building our products and responding to security issues, and the security of our customers will always be a critical priority for Adobe.”
The implementation earlier this year of an updater utility to automate patching for Adobe products, combined with efforts to build more security measures such as sandboxing into future product releases, and Adobe’s efforts working directly with Microsoft and major security vendors to improve product security and reduce the time required to develop critical patches all demonstrate Adobe’s commitment to security.
Hopefully, in the future Adobe will provide more details about the specifics of the flaws and how they can potentially be exploited, as well as mitigations that can prevent attack in lieu of applying the update. IT admins need such information to allow for proper risk analysis and to provide alternative means of guarding against exploit pending implementation of the update, or in cases where a system can not be patched for some reason.
For now, I recommend you apply the Adobe Reader, Acrobat, and Flash updates to all vulnerable systems before the malware developers catch up and start exploiting these vulnerabilities.