Feeds

Adobe punts fix for Reader, Acrobat holes battered by PC, Mac hackers

Software biz praised for nine-day response

Security for virtualized datacentres

Adobe has pushed out an emergency security update for its PDF viewing software Reader and Acrobat to plug zero-day vulnerabilities that emerged last week.

The cross-platform update, issued yesterday, addresses flaws that were being actively exploited by miscreants to compromise and take over Microsoft Windows and Apple Mac OS X computers. Word of the bugs spread following the publication of a report by security biz FireEye on 12 February. Adobe acted quickly to publicise workarounds a day later, prior to pushing out patches for Windows, Mac and Linux systems on 20 February.

The updates cover all supported product versions (Reader and Acrobat 9, 10, 11) and unsurprisingly they're all rated critical. Adobe's advisory is here.

Paul Ducklin of antivirus outfit Sophos praised Adobe for its prompt response.

The update completes a pretty wretched month for Adobe. Earlier this week Mozilla released a new version of its Firefox browser that featured a built-in JavaScript-powered PDF viewer, allowing users to dispense with plugins from Adobe and its rivals. And at the start of the month the software giant was obliged to release emergency Flash patches that threw a fire blanket over not just one but two zero-day security vulnerabilities.

It subsequently emerged that Microsoft Office files containing code that exploited flaws in Adobe's Flash player software were used to pull off corporate espionage against Windows-using businesses in the aerospace industry. Security experts at Lockheed Martin are credited with aiding Adobe; it's a safe bet, therefore, to assume the defence titan was a target of this cyber-spying.

In fairness, all software developers have to deal with zero-day vulnerabilities from time to time. Foxit, which makes a PDF-viewing browser plugin to rival Adobe's, was hit by one such calamity only last month. But Adobe Flash is second only to Oracle's Java in terms of the number of security exploits targeting software in a modern hacker or cyber-spy's toolkit; any un-patched holes in Adobe's software are often seized and attacked in a race against the vendor and users. ®

Beginner's guide to SSL certificates

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
NOT OK GOOGLE: Android images can conceal code
It's been fixed, but hordes won't have applied the upgrade
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
prev story

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.