Site Network: | | Jongsma & Jongsma

Innovation in Information Security

Coverage of important Information Security and Information Technology news and events from the research team at S?nnet Beskerming.

Username: | Password: Contact us to request an account

Critical Acrobat and Reader Vulnerability - a Month to Patch

In a little over a week from now, Adobe are planning to release a security patch for a vulnerability affecting Adobe Reader and Acrobat 9.2 and earlier versions on Windows, OS X and Unix systems. The extent of the vulnerability is that it can allow an attacker to take over a vulnerable system when a victim is tricked into opening a malicious file and was reportedly being attacked in the wild prior to Adobe's security advisory release on December 15.

Like many of the Adobe Acrobat and Reader vulnerabilities that have come before, this particular vulnerability lies with how the applications process JavaScript content within applicable files. Prior advice, given for earlier vulnerabilities, to disable the processing of JavaScript in Reader and Acrobat, still stands. Doing so will mitigate against this style of PDF vulnerability, but still leaves users vulnerable to other embedded attacks.

The problem with this secured step is that whenever reader detects that a file contains JavaScript, and JavaScript support has been disabled, it will prompt the user to re-enable it. All this means is that users need to be on their toes when their systems prompt them to reverse an action that they previously took to improve their system's security.

Adobe has come a long way with its vulnerability handling and security response, something it should be commended for. However, leaving a critical vulnerability that can lead to system compromise untouched for a month, especially one that is already being attacked in the wild, is a gutsy call, especially when information about the vulnerability has not been updated since December 15.

Given that user apathy is considered responsible for a significant percentage of vulnerable situations (and ultimately successful attacks), the time delay between vulnerability discovery and patch release seems almost excessive, but it is still an improvement over not acknowledging the presence of the vulnerability and keeping the intended patch release date obscure.

4 January 2010

Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis

Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.

Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.

Comments will soon be available for registered users.