Adobe issues fix for zero-day Reader vulnerability

March 10, 2009 5:14 PM PDT
by Elinor Mills Article

Adobe Systems on Tuesday issued a security update to fix a critical vulnerability in Adobe Reader 9 and Acrobat 9 that could allow an attacker to take complete control of a computer and for which exploits had been reportedly found in the wild for nearly two months.

Adobe alerted users about the vulnerability more than two weeks ago and promised to have a security update for it by March 11.

Basically, attackers can take advantage of a hole on unpatched systems to overwrite memory with a buffer overflow and install a backdoor through which to control the system remotely.

In its advisory, Adobe said it plans to provide security updates for Adobe Reader 7 and 8 and Acrobat 7 and 8 by March 18 and for Adobe Reader 9.1 for Unix by March 25.

Meanwhile, US-CERT said on Tuesday it is aware of public reports of two new attack vectors for the vulnerability involving the Windows Indexing Service that indexes PDF files and the Windows Explorer Shell Extension.

The vulnerability can be exploited with little or no user interaction if the Windows Indexing Service processes a malicious PDF file stored on the system or Windows Explorer displays a folder containing a malicious PDF file, the CERT advisory said.

Earlier in the day, Microsoft issued updates for a number of critical and important vulnerabilities in Windows as part of this month’s Patch Tuesday.

One security expert complained that Adobe was late to acknowledge the vulnerability and uncommunicative about the issue since it arose.

“Having the patch early is a huge benefit, but releasing it on the same day as Microsoft’s planned March patch spells disaster for enterprise resource planning, and it still leaves Adobe with a black eye for lack of communication,” said Andrew Storms, director of security operations for nCircle, a network and compliance automation firm.

Adobe representatives did not immediately respond Tuesday to phone calls and e-mails seeking comment.


And patch e’m up

Douglas Beard

Read and post comments | Send to a friend


About skicat56

Snow Sports Industry veteran – Husband – Father – Network IT Ninja & Former Powncer. Old enough to know better but young enough to start a new career.
This entry was posted in Security, Software and tagged . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s