Adobe issues patch to block zero-day flaw

By Robert Westervelt, News Editor 10 Mar 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Adobe issued a critical update Tuesday plugging a serious zero-day vulnerability in Acrobat Reader that was being actively exploited by attackers.

Hackers have been spreading malicious PDF files in targeted attacks in an attempt to exploit a processing error in Adobe Acrobat Reader 8 and 9, which results in a buffer overflow. If successfully exploited, the flaw could give attackers access to critical system files.

Related Adobe news: Sourcefire issues Adobe zero-day patch to block attacks: "Home brew patch," blocks attempts by hackers to exploit an unpatched buffer overflow vulnerability in Adobe Reader 9. Attackers target new Adobe zero-day flaw: Attackers are actively targeting a zero-day flaw in Adobe Acrobat Reader software, according to a warning from Symantec.   Adobe updates Flash Player to fix clickjacking, buffer overflow flaws: Flaws in Adobe Flash Player could be used by an attacker to gain access to system files and take control of a computer. Adobe recommends updating to the latest version.

"This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system," Adobe said in its security bulletin.

Adobe Reader 9.1 and Acrobat 9.1 update corrects the JBIG2 stream array indexing error. The image compression format is used to convert binary images. Adobe said it expects to issue updates for Adobe Reader 7 and 8, and Acrobat 7 and 8 by March 18. An update to Adobe Reader 9.1 for Unix will be released by March 25.

Symantec said researchers there were given a sample of the threat Feb. 12. Adobe said it had been testing a patch prior to Tuesday's release. It has come under increased pressured by some security researchers for its handling of the zero-day and taking too long to issue an update.

"They just don't appear to have taken it serious enough," said Andrew Storms, director of security operations at security and compliance auditing vendor nCircle Network Security Inc. "They need to work better at communicating to their customers."

SearchSecurity radio:

Wolfgang Kandek, chief technology officer of patch management vendor Qualys Inc. said Adobe should have issued an update much faster to accommodate its large user base, despite ongoing attacks being limited and targeted.

"… it makes me wonder whether Adobe has a setup to react to security flaws in an out-of-band manner, rather than through normal product cycles vulnerabilities of such magnitude need to be handled by a dedicated team that has the resources to quick develop and deploy a fix," Kandek said in a prepared statement.

Tags: Security Patch Management,  Application Attacks (Buffer Overflows, Cross-Site Scripting),  Securing Productivity Applications,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Patch Management Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat How to manage patches for Adobe When is it suitable to remove Java updates? Application Attacks (Buffer Overflows, Cross-Site Scripting) Quiz: How to build secure applications Black box and white box testing: Which is best? Adobe warns of critical update for Reader, Acrobat 9.1.3 9 Ways to Improve Application Security After an Incident Developers Need Help with Security Errors Buffer overflow tutorial: How to find vulnerabilities, prevent attacks SQL injection protection: A guide on how to prevent and stop attacks Experts rebuke programmers who use SQL injection as feature SANS: Application threats, website flaws pose biggest security threats Mozilla helps Adobe push out faster patches Application Attacks (Buffer Overflows, Cross-Site Scripting) Research Securing Productivity Applications Quiz: How to build secure applications How to detect software tampering Adobe fixes 29 flaws in Acrobat, Reader Adobe warns of critical update for Reader, Acrobat 9.1.3 Why should we place data files on a separate partition than the OS? Adobe updates ColdFusion, JRun, Flex Serious Adobe Flash flaw being exploited Adobe acknowledges serious Flash zero-day vulnerability Adobe issues security advisory for Flash zero-day flaw When to use the service features of the Metasploit hacking tool

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary attack vector  (SearchSecurity.com) back door  (SearchSecurity.com) ethical worm  (SearchSecurity.com) Patch Tuesday  (SearchSecurity.com) zero-day exploit  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary