Download our in-depth report: The Ultimate Guide to IT Security Vendors
With the PDF (define) format pervasive across the Web, Adobe's Acrobat and Acrobat Reader apps also remain among the most commonly found software, being the most popular ways to interact with PDFs, a format that Adobe originated. But for the last two months, Acrobat users have been at risk from a vulnerability that potentially could enable an attacker to take over a system.
That issue is now solved -- almost.
Late on Tuesday, Adobe (NASDAQ: ADBE) issued a patched version of Reader and Acrobat version 9 for Windows and Apple Macs, updating both to version 9.1. Linux and Unix users of Adobe's Reader and Acrobat are still without a patch, however.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=iAdditionally, Adobe has not issued a simultaneous update for earlier versions of Reader or Acrobat on any platform.
"Adobe is planning to make available updates for Adobe Reader 7 and 8, and Acrobat 7 and 8, by March 18," Adobe stated in its advisory. "In addition, Adobe plans to make available Adobe Reader 9.1 for Unix by March 25."
An Adobe spokesperson was not immediately available for comment.
Adobe describes the zero-day (define) flaw in its advisory as triggering an application crash that could potentially enable an attacker to take control of users' systems. Adobe also added that there are reports that the vulnerability is being exploited.
Though Kandek found a workaround, and vendors like Qualys and others have provide protection against the flaw, he said he still remained critical about the length of time it took Adobe to issue a patch.
"Adobe was first notified of the problem in January and has been working for the last two months to develop and test the patch, and is finally ready to get it out to its users," Kandek said. "Two months seems to be a rather long time to address the issue and it makes me wonder whether Adobe has a setup to react to security flaws in an out-of-band manner, rather than through normal product cycles."
"Vulnerabilities of such magnitude need to be handled by a dedicated team that has the resources to quick develop and deploy a fix," he added.
This article was first published on InternetNews.com.