Feeds

Adobe punts fix for Reader, Acrobat holes battered by PC, Mac hackers

Software biz praised for nine-day response

Top three mobile application threats

Adobe has pushed out an emergency security update for its PDF viewing software Reader and Acrobat to plug zero-day vulnerabilities that emerged last week.

The cross-platform update, issued yesterday, addresses flaws that were being actively exploited by miscreants to compromise and take over Microsoft Windows and Apple Mac OS X computers. Word of the bugs spread following the publication of a report by security biz FireEye on 12 February. Adobe acted quickly to publicise workarounds a day later, prior to pushing out patches for Windows, Mac and Linux systems on 20 February.

The updates cover all supported product versions (Reader and Acrobat 9, 10, 11) and unsurprisingly they're all rated critical. Adobe's advisory is here.

Paul Ducklin of antivirus outfit Sophos praised Adobe for its prompt response.

The update completes a pretty wretched month for Adobe. Earlier this week Mozilla released a new version of its Firefox browser that featured a built-in JavaScript-powered PDF viewer, allowing users to dispense with plugins from Adobe and its rivals. And at the start of the month the software giant was obliged to release emergency Flash patches that threw a fire blanket over not just one but two zero-day security vulnerabilities.

It subsequently emerged that Microsoft Office files containing code that exploited flaws in Adobe's Flash player software were used to pull off corporate espionage against Windows-using businesses in the aerospace industry. Security experts at Lockheed Martin are credited with aiding Adobe; it's a safe bet, therefore, to assume the defence titan was a target of this cyber-spying.

In fairness, all software developers have to deal with zero-day vulnerabilities from time to time. Foxit, which makes a PDF-viewing browser plugin to rival Adobe's, was hit by one such calamity only last month. But Adobe Flash is second only to Oracle's Java in terms of the number of security exploits targeting software in a modern hacker or cyber-spy's toolkit; any un-patched holes in Adobe's software are often seized and attacked in a race against the vendor and users. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Canadian taxman says hundreds pierced by Heartbleed SSL skewer
900 social insurance numbers nicked, says revenue watchman
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
Burnt out on patches this month? Oracle's got 104 MORE fixes for you
Mass patch for issues across its software catalog
Reddit users discover iOS malware threat
'Unflod Baby Panda' looks to snatch Apple IDs
Oracle working on at least 13 Heartbleed fixes
Big Red's cloud is safe and Oracle Linux 6 has been patched, but Java has some issues
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.