An unpatched bug in popular PDF viewing and editing applications is much more dangerous than first thought, according to security researchers who have created exploits that sidestep Adobe's defensive recommendations.
Adobe Systems has known about the vulnerability in its Reader and Acrobat software since mid-January, but will not patch the problem until Wednesday, March 11.
[ See also: "Adobe to patch Flash vulnerabilities for three platforms" and "Adobe flaw has been used in attacks since early January" | Learn how to secure your systems with Roger Grimes' Security Adviser blog and newsletter, both from InfoWorld. ]
The bug first made news two weeks ago, when Adobe confirmed the problem and pegged it as critical. Within days, other reports surfaced that in-the-wild attacks have exploited the flaw since early January.
"Under the right circumstances, a Windows Explorer Shell Extension will read the PDF document to provide extra information, and in doing so, it will execute the buggy code and trigger the vulnerability...just like it would when you would explicitly open the document," Stevens said in a blog post.
Arkin also defended Adobe's patching pace, which has come under fire as being too sluggish. "We were contacted by one of our partners on Jan. 16 when they shared an exploit that they had found in the wild," he said. "That kicked off our investigation and we began working on a fix immediately."
Adobe plans to patch Reader and Acrobat 9 [this] week, and will follow that with fixes for Versions 7 and 8 of both applications on March 18. "We're doing everything we can, and we intend [meet] to those deadlines," said Arkin.
Adobe has said it will post a notification on its security site when it issues patches this week.
Computerworld is an InfoWorld affiliate.
This story, "Unpatched PDF bug poses growing threat, say researchers" was originally published by Computerworld.