Despite increasingly frequent attacks, no update for Adobe's Reader
While the first websites are already exploiting the hole in Adobe Reader to infect Windows PCs, Adobe says that it does not plan to publish an "emergency patch" before January 12, 2010 because other holes would remain open if it did so.
The next round of updates is scheduled for January 12, and Adobe says it does not want to fiddle with scheduling. As Adobe's director of product security, Brad Arkin, explained, if the emergency patch were pulled forwards, the regular three-month patch cycle would have to be extended, possibly leaving other previously unknown holes unpatched for several weeks. It is not known whether these other holes are even more critical than the known one. On the last patch day in October, Adobe remedied 29 vulnerabilities in Reader. The vendor says that the workarounds published provide two ways of dealing with the problem for the time being.
News portal timesunion.com reported the first attack of a website on visitors when displaying comics from service provider King Features. The report says that criminals penetrated King Features' database to inject specially crafted PDF documents. Automatically distributed to various portals, the documents then reached the websites of timesunion.com. There is still no word on how the criminals managed to break into the database.
- Adobe not planning to close critical vulnerability in Reader until January, a report from The H.
- Attacks on unpatched holes in Adobe Reader and Acrobat, a report from The H.