Original URL: https://www.theregister.com/2013/02/21/adobe_reader_acrobat_0days/

Adobe punts fix for Reader, Acrobat holes battered by PC, Mac hackers

Software biz praised for nine-day response

By John Leyden

Posted in Security, 21st February 2013 13:03 GMT

Adobe has pushed out an emergency security update for its PDF viewing software Reader and Acrobat to plug zero-day vulnerabilities that emerged last week.

The cross-platform update, issued yesterday, addresses flaws that were being actively exploited by miscreants to compromise and take over Microsoft Windows and Apple Mac OS X computers. Word of the bugs spread following the publication of a report by security biz FireEye on 12 February. Adobe acted quickly to publicise workarounds a day later, prior to pushing out patches for Windows, Mac and Linux systems on 20 February.

The updates cover all supported product versions (Reader and Acrobat 9, 10, 11) and unsurprisingly they're all rated critical. Adobe's advisory is here.

Paul Ducklin of antivirus outfit Sophos praised Adobe for its prompt response.

The update completes a pretty wretched month for Adobe. Earlier this week Mozilla released a new version of its Firefox browser that featured a built-in JavaScript-powered PDF viewer, allowing users to dispense with plugins from Adobe and its rivals. And at the start of the month the software giant was obliged to release emergency Flash patches that threw a fire blanket over not just one but two zero-day security vulnerabilities.

It subsequently emerged that Microsoft Office files containing code that exploited flaws in Adobe's Flash player software were used to pull off corporate espionage against Windows-using businesses in the aerospace industry. Security experts at Lockheed Martin are credited with aiding Adobe; it's a safe bet, therefore, to assume the defence titan was a target of this cyber-spying.

In fairness, all software developers have to deal with zero-day vulnerabilities from time to time. Foxit, which makes a PDF-viewing browser plugin to rival Adobe's, was hit by one such calamity only last month. But Adobe Flash is second only to Oracle's Java in terms of the number of security exploits targeting software in a modern hacker or cyber-spy's toolkit; any un-patched holes in Adobe's software are often seized and attacked in a race against the vendor and users. ®