Adobe delivers Reader patch (very quietly)

Summary:If you got a prompt to upgrade your Adobe Reader to version 8.1.

If you got a prompt to upgrade your Adobe Reader to version 8.1.2 you're not alone. Betcha didn't know it's a major security fix though.

Why? You wouldn't know because Adobe hasn't told anyone. The best information you'll get is a few snippets in an Adobe Knowledge Base article. The Reader update is AWOL on Adobe's security bulletin site. Here's what Adobe had to say:

The Adobe Reader 8.1.2 update addresses a number of customer workflow issues and security vulnerabilities while providing more stability.

Oh really? I got this update prompt early this am and as usual I did the "remind me later" trick. I would have taken the update more seriously if I knew there was a vulnerability issue.

Ryan Naraine reports that this Adobe update on the sly plugs a vulnerability that allows rigged PDF files to launch code execution attacks. Immunity has posted a proof-of-concept exploit to boot.

In the grand scheme of things Adobe is delivering a run of the mill patch. What's annoying is the disclosure--or lack of it. This gets to the heart of what IBM's ISS unit was talking about this yesterday when it reported that vulnerability disclosures were down in 2007. A sign of progress? Not quite. It's is just that people are keeping mum about vulnerabilities.

Update: Adobe has issued a statement. Here's the full text:

On Feb. 6, Adobe made available an update to Acrobat and Adobe Reader 8.x. It updates the Windows and Mac versions of Acrobat to 8.1.2, and the Windows, Mac, Linux, and Solaris versions of Adobe Reader to 8.1.2.

In addition to addressing bug fixes and providing support for Mac OS X Leopard (up through version 10.5.1), the update includes several important security fixes, among them a few of critical severity that could be remotely exploitable.

Adobe recommends users of Acrobat and Adobe Reader 8.x install the update to protect themselves.

Adobe plans to share further information on the topic within a few days via the company’s Security Bulletins and Advisories page (http://www.adobe.com/support/security/), at which point the company has completed the process of responsible disclosure with third-party stakeholders.

Topics: Enterprise Software, Security

About

Larry Dignan is Editor in Chief of ZDNet and SmartPlanet as well as Editorial Director of ZDNet's sister site TechRepublic. He was most recently Executive Editor of News and Blogs at ZDNet. Prior to that he was executive news editor at eWeek and news editor at Baseline. He also served as the East Coast news editor and finance editor at CN... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.