RSSAdobe secretly patches critical PDF flaw
By Ed Oswald | Published February 6, 2008, 5:21 PM
The company silently slipped in a fix for a critical vulnerability that prevents PDF files from being used in code execution attacks, eWEEK reports.
Immunity confirmed the fix by reverse-engineering the patch, and discovered a fix for a stack overflow issue, normally afforded a "highly critical rating" by Adobe.
At least one security firm, Immunity, has published proof-of-concept code for the flaws. As evidence that this flaw was fixed in Reader 8.1.2, news outlets confirmed it crashed unpatched versions of Reader.
Secunia estimates that six in ten Windows Reader users may be vulnerable to attacks using this method, derived from their Personal Software Inspector surveys.
The security community is apparently up in arms over the fix because there was no published disclosure of it. The release notes for the patch only allude to "security vulnerabilities," but no specifics.
A request for comment from Adobe was outstanding at press time. As of late Wednesday afternoon, no public advisory on the flaw had been published to the company's website.
Why don't they secretly patch the several versions old bug that causes AdobeUpdater.exe to go into a loop and eat up 99% of your CPU with no way to kill it.
Oh yeah, they're incompetent. Carry on.
Score: 0
|Been testing this patch all day. We will roll it out tomorrow if nothing strange is reported.
Adobe in my mind makes the most publicly vulnerable software: Flash, shockwave, acrobat, and they have the worst communication to deal with it. I'll bite my tongue and say MS is even better.
Score: 0
|"We"? who do you work for?
Score: 0
|The Man.
Score: 0
|Osama!
Score: 0
|I've seen him post here occasionally. Not really sure what he does for a living though... ;)
Score: 0
|Hey the perks aren't that great, but I gotta say that the man has a certain amount of class you don't find in your normal 9 to 5.
Score: 0
|