21 December 2009, 17:20

Despite increasingly frequent attacks, no update for Adobe's Reader

Adobe Logo While the first websites are already exploiting the hole in Adobe Reader to infect Windows PCs, Adobe says that it does not plan to publish an "emergency patch" before January 12, 2010 because other holes would remain open if it did so.

The next round of updates is scheduled for January 12, and Adobe says it does not want to fiddle with scheduling. As Adobe's director of product security, Brad Arkin, explained, if the emergency patch were pulled forwards, the regular three-month patch cycle would have to be extended, possibly leaving other previously unknown holes unpatched for several weeks. It is not known whether these other holes are even more critical than the known one. On the last patch day in October, Adobe remedied 29 vulnerabilities in Reader. The vendor says that the workarounds published provide two ways of dealing with the problem for the time being.

Those who do not wish to fall prey to an attack before January 12 can follow Adobe's advice and at least switch on Data Execution Prevention (DEP) for Windows users or switch off JavaScript in Reader or Acrobat (Edit > Settings > JavaScript). As a workaround, Adobe has also provided a Windows registry file that generates a key to blacklist the vulnerable JavaScript function, which can then no longer be called. The upcoming security update would then reportedly reset that value upon installation.

News portal timesunion.com reported the first attack of a website on visitors when displaying comics from service provider King Features. The report says that criminals penetrated King Features' database to inject specially crafted PDF documents. Automatically distributed to various portals, the documents then reached the websites of timesunion.com. There is still no word on how the criminals managed to break into the database.

See also: