After more than two weeks (months?) of inexplicable silence on mitigations for a known code execution vulnerability in its Reader and Acrobat product lines, Adobe has finally posted public information on the problem but the company's response falls well short of providing definitive mitigation guidance for end users.
[ For background and a timeline on how *not* to handle incident response, HD Moore's blog post is a great start. ]
Here's what we have from Adobe:
- Launch Acrobat or Adobe Reader.
- Select Edit>Preferences
- Click OK
While this information is better than the silence we've gotten from Adobe since the attacks became public, it falls well short of providing the protection information that businesses and end users need when in-the-wild malware attacks are occuring.
The company did not offer any details on the actual vulnerability. It did not provide workarounds. It did not provide mitigation guidance. Adobe simply rehashed what we already knew and confirmed that the public mitigation guidance from third parties is/was not definitive.
As my former ZDNet Zero Day blog colleague Nate McFeters points out, the issue is much worse than first imagined.
- I decided I'd test this out and found that on a fully patched Mac OS X build, Safari 4, Mail.app, Preview.app, and potentially others all crash using the proof of concept exploit provide on milw0rm. The crash is actually in PDFKit, which supports all of those applications and likely much more.
If Secunia can do it based on information that's public, what's to stop malicious hackers with major financial motivation?
So what now Adobe?