Adobe issues first quarterly patch release fixing 13 flaws

By By Michael S. Mimoso, Editor, Information Security magazine 09 Jun 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Adobe released its first regularly scheduled set of quarterly security patches today for its Reader and Acrobat products, coinciding with a heavy Patch Tuesday release from Microsoft.

The critical fixes addressed 13 vulnerabilities in Adobe Reader and Acrobat versions 9.1.1 for Windows and Macintosh. The update fixes a stack overflow vulnerability that could be exploited by an attacker to execute code and an integer overflow flaw that could lead to a denial of service condition.

Adobe's update also fixes how Acrobat and Reader handle JBIG2, an image compression format used to convert binary images. The programs contained several memory corruption issues and multiple heap overflow vulnerabilities, according to the Adobe security bulletin.

In addition, the software maker said the "update resolves Adobe internally discovered issues."

Adobe announced on May 20 its intent to regularly release patches every three months. Increasingly, it's Reader and Acrobat products are the target of attacks; research from F-Secure indicates that almost 49% of targeted attacks against file types were against PDFs. That's up from 29% a year ago Yet, despite the ubiquity of the product's installed base and the increasingly high profile nature of attacks against Adobe, research conducted by Qualys indicates the uptake of Adobe patches isn't very high. In fact, Qualys CTO Wolfgang Kandek said 20% of Adobe Reader installations have been patched in the two months between its March and May patch releases.

SearchSecurity radio:

"I think it's a mindset thing, a visibility thing," Kandek said. "With Microsoft, there is good visibility of its security patches; you're aware it of and know what Patch Tuesday is.

"I think we have to raise the visibility of the Adobe security issue," Kandek said. "Talk to your patch management systems, make sure auto-update is working."

Brad Arkin, director of product security and privacy at Adobe, wrote on his blog that since February, engineers at Adobe have been concentrating heavily on software security, especially around code hardening, improving incident response and processes, and providing regular security updates.

Arkin wrote that Adobe new code and features for Reader and Acrobat must pass muster with the company's Secure Product Lifecycle (SPLC).

"The Adobe SPLC integrates standard secure software activities such as threat modeling, automated and manual security code reviews, and fuzzing into the standard Adobe Product Lifecycle we follow for all projects," Arkin wrote. He added that this is standard for new code, but does not exist threats in existing products. To address those issues, Adobe engineers have been hardening at-risk areas of legacy code, he wrote.

"Even in cases where no immediate vulnerability was identified, we have been strengthening input validation on a best-practice basis," Arkin wrote. "Experience shows such validation is a powerful tool in preventing as-yet unidentified security holes."

Kandek thinks Adobe's quarterly releases are a step in the right direction.

"But I think the three-month cycle is too slow," Kandek said. "Vulnerabilities come up faster than every three months. We dealt with a zero-day vulnerability six weeks ago (April 28), and now another set of patches is ready. That tells me they have enough volume to do monthly releases."

Tags: Securing Productivity Applications,  Application Attacks (Buffer Overflows, Cross-Site Scripting),  Security Patch Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Securing Productivity Applications Software piracy group offers cash to whistleblowers How to secure a .pdf file How do hackers bypass a code signing procedure to inject malware Quiz: How to build secure applications How to detect software tampering Adobe fixes 29 flaws in Acrobat, Reader Adobe warns of critical update for Reader, Acrobat 9.1.3 Why should we place data files on a separate partition than the OS? Adobe updates ColdFusion, JRun, Flex Serious Adobe Flash flaw being exploited Application Attacks (Buffer Overflows, Cross-Site Scripting) Quiz: How to build secure applications Black box and white box testing: Which is best? Adobe warns of critical update for Reader, Acrobat 9.1.3 9 Ways to Improve Application Security After an Incident Developers Need Help with Security Errors Buffer overflow tutorial: How to find vulnerabilities, prevent attacks SQL injection protection: A guide on how to prevent and stop attacks Experts rebuke programmers who use SQL injection as feature SANS: Application threats, website flaws pose biggest security threats Mozilla helps Adobe push out faster patches Application Attacks (Buffer Overflows, Cross-Site Scripting) Research Security Patch Management What patch management metrics does Project Quant use? Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat How to manage patches for Adobe

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary sheepdip  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary