Adobe delivers Reader patch (very quietly)
If you got a prompt to upgrade your Adobe Reader to version 8.1.2 you're not alone. Betcha didn't know it's a major security fix though.
Why? You wouldn't know because Adobe hasn't told anyone. The best information you'll get is a few snippets in an Adobe Knowledge Base article. The Reader update is AWOL on Adobe's security bulletin site. Here's what Adobe had to say:
The Adobe Reader 8.1.2 update addresses a number of customer workflow issues and security vulnerabilities while providing more stability.
Oh really? I got this update prompt early this am and as usual I did the "remind me later" trick. I would have taken the update more seriously if I knew there was a vulnerability issue.
Ryan Naraine reports that this Adobe update on the sly plugs a vulnerability that allows rigged PDF files to launch code execution attacks. Immunity has posted a proof-of-concept exploit to boot.
In the grand scheme of things Adobe is delivering a run of the mill patch. What's annoying is the disclosure--or lack of it. This gets to the heart of what IBM's ISS unit was talking about this yesterday when it reported that vulnerability disclosures were down in 2007. A sign of progress? Not quite. It's is just that people are keeping mum about vulnerabilities.
Update: Adobe has issued a statement. Here's the full text:
On Feb. 6, Adobe made available an update to Acrobat and Adobe Reader 8.x. It updates the Windows and Mac versions of Acrobat to 8.1.2, and the Windows, Mac, Linux, and Solaris versions of Adobe Reader to 8.1.2.
In addition to addressing bug fixes and providing support for Mac OS X Leopard (up through version 10.5.1), the update includes several important security fixes, among them a few of critical severity that could be remotely exploitable.
Adobe recommends users of Acrobat and Adobe Reader 8.x install the update to protect themselves.
Adobe plans to share further information on the topic within a few days via the company’s Security Bulletins and Advisories page (http://www.adobe.com/support/security/), at which point the company has completed the process of responsible disclosure with third-party stakeholders.