Guessing games regarding Adobe Reader update

Adobe has released an updated version of its Reader software that fixes some unknown vulnerabilities. The release notes mention in passing that the update fixes vulnerabilities in version 8.1.2 of Acrobat reader, but the vendor neglects to clarify their level of severity. In the security community this procedure is usually referred to as 'silent fixing', meaning a policy of restricting information to keep the true scale of the problem secret. This has led to some disquiet among security specialists. Adobe has since released a security advisory which indicates a number of critical vulnerabilities, but still gives no further information on them.

It appears that there are relatively critical vulnerabilities for which exploits are already available. Security services provider Immunity has delivered two exploits to paying customers in the last two days. One of these is described as a "PoC for Adobe Acrobat Reader (<8.1.2) buffer overflow", the other as a "Fully working exploit for Adobe Acrobat Reader (<8.1.2) Javascript Stack Overflow". At least one of these is likely to allow a system to be compromised. According to unconfirmed reports, one of the vulnerabilities is already being used to infect PCs via crafted web pages.

A brief report that an attacker could gain control of a printer by exploiting another vulnerability was recently published on a security mailing list. Whether spammers have yet spotted the potential for this as a new way of distributing their wares is not known. Users should switch to the latest version 8.1.2, which is available via download for Windows 2000 Service Pack 4, Windows XP Service Pack 2, Windows 2003 Server, Windows Vista and Mac OS X.

See also:

• Security update available for Adobe Reader and Acrobat 8, security advisory from Adobe

(mba)