Adobe issues emergency PDF patches
Researcher says Adobe actually made the vulnerability more conspicuous to hackers by issuing a fix outside the regular security update schedule
As expected, Adobe Tuesday released an emergency update that patched a pair of critical vulnerabilities in its popular PDF viewing and editing software. Adobe ranked both bugs as critical.
Last Thursday Adobe said it would issue a rush patch for Adobe Reader and Adobe Acrobat on Feb. 16; it made good on the promise today by addressing two flaws. One was identical to the cross-domain request vulnerability fixed last week in Flash Player, Adobe's ubiquitous media player, while the second was a vulnerability that attackers could exploit to install malware on a targeted machine.
[ Security vendor McAfee predicted Adobe's Flash and Acrobat Reader will become the preferred targets for hackers in 2010. | Learn how to secure your systems with Roger Grimes' Security Adviser blog and Security Central newsletter, both from InfoWorld. ]
The bug related to Flash Player, tagged as CVE-2010-0186 in the Common Vulnerabilities and Exposures (CVE) database, cannot be used to inject malicious code into a system, but could be exploited by information thieves in a cross-site scripting style of attack, said Andrew Storms, director of security operations at nCircle Network Security.
Between Thursday, when Adobe updated Flash Player, and today, when it patched the same flaw in Reader and Acrobat, the latter programs were theoretically vulnerable to attack if an ambitious hacker had pulled apart the Flash patch and managed to figure out where the vulnerability was within Reader. That didn't happen, Storms noted.
It was the second vulnerability, tagged as CVE-2010-0188, that drew his attention. "Adobe credited it to Microsoft," said Storms, "which in itself is interesting." The bug was reported by the Microsoft Vulnerability Research Program (MSVR), where Microsoft security researchers submit flaws they find in third-party software, such as browser plug-ins like Reader.
Microsoft may have found the vulnerability through its own security process, or it may have been reported by a Microsoft customer to the company, which then passed it along to Adobe. The latter declined to say which was the case, but did say it wasn't aware of any in-the-wild exploits of either vulnerability patched Tuesday.
What intrigued Storms the most was that today's update was outside the regular quarterly security release schedule Adobe's set its PDF software. "Now we know that there's a vulnerability in Reader and Acrobat, but because Adobe's gone out-of-band it's going to draw attention from researchers. The rush is on to disassemble the patch and reverse-engineer an exploit."
Storms argued that by updating Reader and Acrobat today -- about two months before the next slated update, April 13 -- and not explaining why it went out-of-band, Adobe's actually made the CVE-2010-0188 vulnerability more conspicuous to hackers.
"Like usual, the bulletin contains minimal information," said Storms, who has criticized Adobe's security procedures in the past. "We're not familiar with the internal decision-tree of what makes a patch out-of-band and what doesn't. That opaqueness draws more attention than if they were transparent," he said.
