Adobe won't fix zero-day exploit until mid-January
By Barry Collins
Posted on 17 Dec 2009 at 08:33
Adobe has decided to delay rolling out a fix to a security hole in Reader and Acrobat until 12 January.
Earlier this week Adobe admitted that a flaw in Reader and Acrobat had been exploited in the wild. The hole allows a malicious PDF to execute code, even on fully-patched versions of Adobe's software.
In an update posted on the Adobe Secure Software Engineering Team blog, the company says it's decided to wait and address the bug in its next quarterly security update, rather than rush out a fix beforehand.
"The team determined that by putting additional resources over the holidays towards the engineering and testing work required to ship a high confidence fix for this issue with low risk of introducing any new problems, they could deliver the fix as part of the quarterly update on 12 January 2010," the blog states.
Adobe claims that dropping everything and working on an immediate fix for this latest hole could delay the regular quarterly update, creating further problems. "We estimated that delivering an out-of-cycle update would require somewhere between two and three weeks," Adobe claims. "Unfortunately, this option would also negatively impact the timing of the next quarterly security update for Adobe Reader and Acrobat scheduled for 12 January 2010."
"The delay an out-of-cycle security update would force on the regularly scheduled quarterly release represents a significant negative," the company adds. "Additionally, an informal poll we conducted indicated that most of the organisations we talked with were in favour of the second option, to better align with their schedules."
From around the web
Hot Air From Bloatware
And 'hot air' in this case is a euphemism.
Why doesn't the Adobe press release come with a translation? 'We know there's a huge security hole in our software, and now the world of black-hat hackers knows it too, but it's Christmas and we can't be arsed to fix it because that might mean having to work a bit over the holidays. And I asked my mate Terry across the road if he was bothered and he said not really and would I like another drink?
And they should have added as a postscript, 'If you're worried, use Foxit Reader for now, because we're sure you won't be impressed by its speed and tiny size, and that you'll still come back to Adobe's bloated, compromised package, with its happy associations of ripoff UK pricing, when we feel like correcting our mistakes...'
By Noghar on 17 Dec 2009 
How can that many holes take up so much memory
For business I think we should shift to a more modular system of data exchange so company A can send a PDF to company B knowing that the PDF can only contain a fixed agreed range of characters and features. Files like PDF have grown in functionality to such an extent a "fully featured" PDF is more like sending an EXE in the 90's. If it was agreed what "Business-Type1-PDF" could contain or display it would be much easier to secure the software and limit exposure.
There are extra security considerations with every new feature and we are encouraged to embrace it all regardless of need.
PDF is a bad case because it is cross platform universal file type people tend to think they know and as a result trust.
Try opening a current pdf in an early acrobat, that file is not the same thing it was.
By Powernumpty on 17 Dec 2009
4 weeks instead of 3?
Noghar,
Whilst getting the patch out in the first week of January would be possible, looking at the time scales they are talking about, waiting another week and rolling out all the fixes in one hit, as opposed to a fix in the first week, therefore delaying the planned quarterly release by a couple of weeks, which would then come out at the end of January?
To be honest, from a logistics and planning point of view, it does make sense. But it isn't any consolation for the users stuck with buggy software.
In the meantime, switch off JavaScript in Reader...
By big_D on 17 Dec 2009
advertisement
- Laptop bag reviews: nine tested
- Sony VAIO T Series Ultrabook review: first look
- Revealed: the military standards and robots HP uses to test its laptops
- Windows 8: multi-monitors and double standards?
- Why is TalkTalk's year-old porn filter suddenly big news?
- Why are laptop screens so far behind mobiles?
- HP EliteBook Folio review: first look
- The shoebox-sized all-in-one printer
- Forget the Ultrabook: here comes the HP Sleekbook
- HP Spectre XT review: first look
- Why you have to be left in the dark on OS patches
- Publishing your email address isn't a security disaster
- Why antivirus is fighting a losing battle in your office
- Four year olds used to steal their parents' data
- An acceptable use policy for your kids
- Paying for your crimes with Bitcoin
- Pavement hacking: What it is and how to avoid it
- Google's risky pre-loaded pages
- Mac under attack: how secure is Apple's OS?
- Has your browser been hijacked?
advertisement
