Login:
Password:
Lost Password?
Print this article  |  E-mail this article  |  Comment on this article

Adobe secretly patches critical PDF flaw

By Ed Oswald, BetaNews

February 6, 2008, 5:21 PM

The company silently slipped in a fix for a critical vulnerability that prevents PDF files from being used in code execution attacks, eWEEK reports.

Immunity confirmed the fix by reverse-engineering the patch, and discovered a fix for a stack overflow issue, normally afforded a "highly critical rating" by Adobe.

At least one security firm, Immunity, has published proof-of-concept code for the flaws. As evidence that this flaw was fixed in Reader 8.1.2, news outlets confirmed it crashed unpatched versions of Reader.

Secunia estimates that six in ten Windows Reader users may be vulnerable to attacks using this method, derived from their Personal Software Inspector surveys.

The security community is apparently up in arms over the fix because there was no published disclosure of it. The release notes for the patch only allude to "security vulnerabilities," but no specifics.

A request for comment from Adobe was outstanding at press time. As of late Wednesday afternoon, no public advisory on the flaw had been published to the company's website.

Add a Comment (7 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

Name (required):

E-mail (required):

Enter Your Comment:

By Skyfrog

posted Feb 7, 2008 - 1:57 PM

Why don't they secretly patch the several versions old bug that causes AdobeUpdater.exe to go into a loop and eat up 99% of your CPU with no way to kill it.

Oh yeah, they're incompetent. Carry on.

Score: 0

By mjm01010101

posted Feb 6, 2008 - 5:30 PM

Been testing this patch all day. We will roll it out tomorrow if nothing strange is reported.

Adobe in my mind makes the most publicly vulnerable software: Flash, shockwave, acrobat, and they have the worst communication to deal with it. I'll bite my tongue and say MS is even better.

Score: 0

By the artist

posted Feb 6, 2008 - 6:15 PM

"We"? who do you work for?

Score: 0

By mjm01010101

posted Feb 6, 2008 - 6:53 PM

The Man.

Score: 0

By PC_Tool

posted Feb 6, 2008 - 8:39 PM

I've seen him post here occasionally. Not really sure what he does for a living though... ;)

Score: 0

By the artist

posted Feb 6, 2008 - 8:38 PM

Osama!

Score: 0

By mjm01010101

posted Feb 7, 2008 - 7:49 AM

Hey the perks aren't that great, but I gotta say that the man has a certain amount of class you don't find in your normal 9 to 5.

Score: 0

May 12 - 12:26 PM ET Apple stops selling current iPhone, as 3G speculation grows

May 12 - 11:55 AM ET FBI bought $3.5 million in counterfeit networking parts

May 12 - 10:45 AM ET Eye-Fi adds Web features, geotagging to Wi-Fi SD cards

May 9 - 7:12 PM ET Fixed alternative for 'white space' networking gains a unique ally

May 9 - 6:24 PM ET Google's Picasa sends its last 'Hello' on May 15

May 9 - 6:19 PM ET Google: Microsoft remains a strong competitor, even without Yahoo

May 9 - 6:15 PM ET Yahoo beta tests new search results concepts in India

May 9 - 5:38 PM ET Apple has Wii-like Apple TV controller under development

May 9 - 5:23 PM ET Circuit City to open its books to Blockbuster, Icahn

May 9 - 5:06 PM ET .MOBI registrar rescues mobile Web technology firm Mowser