Patch day for Adobe
As planned and in parallel with Microsoft's patch day, Adobe has issued security updates to eliminate the 13 publicly known vulnerabilities in past and present versions of Adobe Reader and Adobe Acrobat. The updates also eliminate several vulnerabilities that were discovered during internal audits, but no further information is given about these. Adobe describes many of the vulnerabilities as critical, because they allow crafted PDF documents to inject malicious code into a system and run it. Most of the bugs again affect the JBIG2 filter.
Anti-virus software producers now report that targeted attacks on vulnerabilities in PDF applications have left those aimed at Word and Excel far behind. That fact makes it all the more important to install the updates as soon as possible. However, the updates to version 9.1.2 (and to 8.1.6 and 7.1.3 for the older products) are initially only available for Windows and Mac. Those for Unix platforms are not due to be released until 16 June.
From now on, Adobe security updates are to appear every three months, on the second Tuesday of the respective month – in parallel with Microsoft's updates. During the intervening three months, Adobe plans to investigate its code for vulnerabilities and fix them, in accordance with a newly introduced Secure Product Life cycle (SPLC). Adobe previously only issued security updates when security vulnerabilities became known, but it's now reacting to the oft-expressed wishes of security experts for improvement in its security policies.
- Security Updates available for Adobe Reader and Acrobat, Abobe security bulletin.
- Adobe to release quarterly security updates, a report from The H Security.
- F-Secure advises against using Adobe Reader, a report from The H Security.