Adobe Explains Critical Fix Delay

Adobe director for product security and privacy Brad Arkin says the company decided to wait until its January 12, 2010 quarterly security update to fix a critical PDF flaw that is being exploited in the wild since November because releasing an out-of-cycle patch would have pushed the scheduled update out an additional month.  Adobe has offered a temporary workaround that uses the JavaScript Blacklist Framework to protect computers from known vulnerabilities without preventing JavaScript from functioning entirely, so users can protect their computers until the patch is available.

Arkin added that rolling out two updates would prove more expensive and time consuming for companies that need to apply the patches.  I think taht is actually the business’ decision and the real issue here is that Adobe started late on developing this patch.  Connecting with legitimate security researchers should be a priority for Adobe in 2010.  Given the number and frequency of serious vulnerabilities being found in Adobe’s products, monthly patch releases would be in order.  It is almost 4 years to the day after Microsoft learned its painful lessons with the WMF vulnerability.  Don’t leave customers defenseless against an in-the-wild exploit.

EDIT:  There are reports that attackers are exploiting this unpatched flaw in Adobe Reader on an online comic strip syndication service.  Hackers have also exploited a vulnerability on a movie review website to redirect visitors to a server containing a maliciously crafted PDF file.  The attackers exploited a vulnerability in a PHP script on one of the movie site’s servers.  The PDF file exploits two known and patched Adobe Reader vulnerabilities.