Critical hole in Adobe Reader - and nobody wants to know
Some things have become so commonplace that nobody even takes much notice of them anymore. Security expert Charlie Miller found this to was the case when presenting a gaping hole in Adobe's Reader product at the Black Hat conference one week ago. After his presentation, Miller said: "Adobe security is so bad that […] not a single person tweeted it. Sad."
Adobe has since confirmed the hole which affects the current version of Adobe Reader for Windows, Mac OS X and Unix and can be exploited to inject arbitrary code into a system and execute it there. Whether older versions are also vulnerable remains unclear. Adobe said they are working on a patch and are currently determining whether the information disclosed by Miller warrants an out-of-schedule update or whether to fix the flaw on the next scheduled patch day. So far, there have been no signs that the hole is being exploited in the wild.
Last May, Adobe's director of product security and privacy, Brad Arkin, told The H's associates at heise Security that his company is considering whether to shorten the quarterly update cycles of Adobe Reader and Acrobat to 30 days. The vendor is reportedly also interested in deploying patches via other channels such as Microsoft Update.
Another recent PDF hole allows users to jailbreak iPhone, iPod touch and iPad devices by directly accessing the JailbreakMe.com page from the device. According to F-Secure, however, this hole doesn't affect Adobe Reader. With Foxit Reader, on the other hand, the hole can apparently at least be exploited to trigger a crash.