Adobe issues fix for zero-day Reader vulnerability

(Credit: Adobe)

Adobe Systems on Tuesday issued a security update to fix a critical vulnerability in Adobe Reader 9 and Acrobat 9 that could allow an attacker to take complete control of a computer and for which exploits had been reportedly found in the wild for nearly two months.

Adobe alerted users about the vulnerability more than two weeks ago and promised to have a security update for it by March 11.

Basically, attackers can take advantage of a hole on unpatched systems to overwrite memory with a buffer overflow and install a backdoor through which to control the system remotely.

In its advisory, Adobe said it plans to provide security updates for Adobe Reader 7 and 8 and Acrobat 7 and 8 by March 18 and for Adobe Reader 9.1 for Unix by March 25.

Meanwhile, US-CERT said on Tuesday it is aware of public reports of two new attack vectors for the vulnerability involving the Windows Indexing Service that indexes PDF files and the Windows Explorer Shell Extension.

The vulnerability can be exploited with little or no user interaction if the Windows Indexing Service processes a malicious PDF file stored on the system or Windows Explorer displays a folder containing a malicious PDF file, the CERT advisory said.

Earlier in the day, Microsoft issued updates for a number of critical and important vulnerabilities in Windows as part of this month's Patch Tuesday.

One security expert complained that Adobe was late to acknowledge the vulnerability and uncommunicative about the issue since it arose.

"Having the patch early is a huge benefit, but releasing it on the same day as Microsoft's planned March patch spells disaster for enterprise resource planning, and it still leaves Adobe with a black eye for lack of communication," said Andrew Storms, director of security operations for nCircle, a network and compliance automation firm.

Adobe representatives did not immediately respond Tuesday to phone calls and e-mails seeking comment.

[Vegaman_Dan]

Perhaps I don't understand the definition of 'zero day'. If this patch applies to a vulnerability discovered two months ago, how does that make it a zero day vulnerabilty?

I see this term used in many different ways here on CNET and appears that there is no concensus on how it should be applied to stories.

[timber2005]

From what I understand, it's the new term for a flaw being exploited before the patch is released (day 0 of it being available).

Turns out I'm wrong, google define says:
"A zero-day (or zero-hour) attack or threat is a computer threat that tries to exploit unknown, undisclosed or unpatched computer application"
Yeah, this doesn't qualify as a zero day flaw.

[Dalkorian]

I think most internet "journalists" use the "zero-day" term pretty loosely in general, but it was my understanding this flaw was exploited prior to Adobe acknowledging it's existence. Wouldn't that technically qualify as a zero-day? Besides, Timber's quote from Google Define mentions exploiting unknown, undisclosed or *UNPATCHED* applications and until today this one certainly qualified as unpatched.

Maybe I'm just feeling generous today, but I think we can give Elinor a break on this one. :-)

[Belinus]

My question is.... why is this not on Adobe Updater? I checked this morning.... there's a Photoshop, Camera Raw, and Media Encoder update but nothing for Acrobat.

[Dalkorian]

I'm guessing Adobe wouldn't want every single Acrobat/Reader install trying to download the patch the same time, or someone hasn't "seeded" the patch yet. Keep checking, it's bound to come up soon. Or check their website, they'll likely have a link to it before the updater is aware anyway.

[alegr]

Luckily for Vista users, Vista, Windows 2008 and Windows 7 run the custom file parsers in a restricted host process, which doesn't let the buffer overflow exploit to take over the computer.

And guys, MAKE SURE YOUR ACCOUNT DOESN'T HAVE ADMINISTRATOR PRIVILEGES.

[claracox]

do not know enough about these issures