Adobe Serves Up Critical Patch for Acrobat, Reader

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

Adobe Systems on Tuesday released a patch for a critical PDF zero-day vulnerability that was causing computers running its ubiquitous Reader and Acrobat applications to shut down and, in some cases, be infiltrated by hackers.

The highly anticipated patch also includes a new update process that, once activated, will keep end users up to date in a much more streamlined and automated way, according to a posting on the Adobe Reader blog. adobe_pdf_security_200x150.jpg

"This is the first time we've exercised the new updater with 'official' updates, which allows us to test a variety of network configurations encountered on the Internet in order to ensure a robust update experience," Adobe project manager Steve Gottwals wrote in the post. "Over the next few weeks, we will be analyzing the test results and will continue communicating important details with you, including when we expect it to be active for all users, which could be as soon as our next update."

Security software vendors and analysts had previously Adobe's earlier update process was cumbersome and inefficient, often discouraging users to the point that they would simply not apply the new patches -- leaving the applications open to abuse from hackers.

In addition to the new patch and updater process, Adobe (NASDAQ: ADBE) officials are advising users of Adobe Reader 9.2 and Acrobat 9.2 as well as earlier versions for Windows, Macintosh and UNIX to update to Adobe Reader 9.3 and Acrobat 9.3. For user running Adobe and Reader on Windows and Macintosh who cannot update to Reader 9.3, Adobe has provided the Adobe Reader 8.2 update for all platforms.

Adobe officials said it has been shipping a new "beta" updater in a passive state since its quarterly update in October.

In December, Adobe acknowledged the zero-day vulnerability in a blog posting, noting that the "vulnerability is being actively exploited in the wild." At the time, the company recommended customers use the JavaScript Blacklist Framework functionality or that they simply disable JavaScript in versions of both applications to "mitigate" the vulnerability until it releases the fixes Tuesday.

"The JavaScript Blacklist Framework worked as planned and we had positive feedback from customers who were able to utilize the mitigation effectively," Adobe said on its blog.

Separately, Adobe this week confirmed that its own networks were the subject of "sophisticated and coordinated cyber attacks" in mid-December.

In another posting, Adobe officials said the attacks affected corporate network systems managed by Adobe and 20 other unnamed companies.

Adobe is investigating the source and methods used to carry out the attempted hacks but added that no sensitive data was stolen.

According to security software experts, the popularity of Adobe's publishing and editing applications makes them especially appealing to hackers and phishers looking to install and distribute malware. Because Reader and Acrobat are so common and widely used, most people don't give a second thought to clicking on attachments created with the familiar applications.

Adobe has addressed this PDF zero-day vulnerability before and issued a flurry of patches to safeguard its applications from a variety of security holes.

Larry Barrett is a senior editor at InternetNews.com, the news service of the internet.com network.