Adobe delivers Reader patch (very quietly)

Adobe delivers Reader patch (very quietly)

Summary: If you got a prompt to upgrade your Adobe Reader to version 8.1.

SHARE:

If you got a prompt to upgrade your Adobe Reader to version 8.1.2 you're not alone. Betcha didn't know it's a major security fix though.

Why? You wouldn't know because Adobe hasn't told anyone. The best information you'll get is a few snippets in an Adobe Knowledge Base article. The Reader update is AWOL on Adobe's security bulletin site. Here's what Adobe had to say:

The Adobe Reader 8.1.2 update addresses a number of customer workflow issues and security vulnerabilities while providing more stability.

Oh really? I got this update prompt early this am and as usual I did the "remind me later" trick. I would have taken the update more seriously if I knew there was a vulnerability issue.

Ryan Naraine reports that this Adobe update on the sly plugs a vulnerability that allows rigged PDF files to launch code execution attacks. Immunity has posted a proof-of-concept exploit to boot.

In the grand scheme of things Adobe is delivering a run of the mill patch. What's annoying is the disclosure--or lack of it. This gets to the heart of what IBM's ISS unit was talking about this yesterday when it reported that vulnerability disclosures were down in 2007. A sign of progress? Not quite. It's is just that people are keeping mum about vulnerabilities.

Update: Adobe has issued a statement. Here's the full text:

On Feb. 6, Adobe made available an update to Acrobat and Adobe Reader 8.x. It updates the Windows and Mac versions of Acrobat to 8.1.2, and the Windows, Mac, Linux, and Solaris versions of Adobe Reader to 8.1.2.

In addition to addressing bug fixes and providing support for Mac OS X Leopard (up through version 10.5.1), the update includes several important security fixes, among them a few of critical severity that could be remotely exploitable.

Adobe recommends users of Acrobat and Adobe Reader 8.x install the update to protect themselves.

Adobe plans to share further information on the topic within a few days via the company’s Security Bulletins and Advisories page (http://www.adobe.com/support/security/), at which point the company has completed the process of responsible disclosure with third-party stakeholders.

Topics: Enterprise Software, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

8 comments
Log in or register to join the discussion
  • WHy should they disclose?

    I mean other than giving a heads up to hackers to strike before everyone is patched...
    No_Ax_to_Grind
    • Sure enought, but....

      don't then start claiming that your product is more secure because it had fewer vulnerabilities.
      magcomment
      • thank you, both of you

        This is No_Ax's point: no double standard, be it Microsoft, Adobe, or any other software developer.
        killerbunny
    • Why? Because not everyone runs those updaters

      I update programs when I know there are issues.

      ever update your java? each update installs a new instance taking up 100 megs or more of 'crap' that you 'can't do without' but because Sun can't be sure if their update will break something you already use... oh no... they must make sure each version works and thus you get stuck with umpteen versions..

      Additionally ... I don't need these updaters running 24/7 on a pc, phoning home to mama asking if something has been updated.. and regardless of setting for daily, weekly, or monthly checks, its still going to run code to see .. "is this really the 30'th day from the last update?"

      There are parts of Apple and Adobe that suck. No other words for it, they suck, and its their installation and update routines at the core of "they suck".

      Stupid settings don't help either.. such as the "add new icon" and my always favorite "over write the user's selections with your own" ... such as file type, and not opening in the browser, and oh.. my favorite of those... the one that stops the prompt for download..

      Time was .. the idea that you would be prompted for downloading files was the key to "something" happening that you might not have expected. Thanks so much for all of these programs removing said "Download Dialog" boxes now I really don't know if that flashing network icon means I'm getting massive amounts of traffic or if something is downloading on me in the background.. again because I did't get a prompt to ASK me if it was ok to DL and OK to Run/Save/what have you..

      Real player is another in that line.. thankfully its stupid enough that you rename its scheduler/updater and it doesn't put it back until the next "update".
      TG2
    • Duh?

      Because the hackers often have already found these flaws. How about a heads up to users?? Did ya think about that?
      Techboy_z
  • Hmmm...me thinks Adobe is less silent than Microsft (NT)

    NT
    nomoremicrosoft
    • LOL!

      Typical nomorems!
      GuidingLight
  • Re-adding the Reader icon to my desktop doesn't count as quietly...

    Ugh, just like QuickTime does, Reader's update insisted on placing a brand spankin new shortcut icon on my desktop, despite the fact I'd deleted it before. Grrr!
    PB_z