Adobe punts fix for Reader, Acrobat holes battered by PC, Mac hackers
Software biz praised for nine-day response
Adobe has pushed out an emergency security update for its PDF viewing software Reader and Acrobat to plug zero-day vulnerabilities that emerged last week.
The cross-platform update, issued yesterday, addresses flaws that were being actively exploited by miscreants to compromise and take over Microsoft Windows and Apple Mac OS X computers. Word of the bugs spread following the publication of a report by security biz FireEye on 12 February. Adobe acted quickly to publicise workarounds a day later, prior to pushing out patches for Windows, Mac and Linux systems on 20 February.
The updates cover all supported product versions (Reader and Acrobat 9, 10, 11) and unsurprisingly they're all rated critical. Adobe's advisory is here.
Paul Ducklin of antivirus outfit Sophos praised Adobe for its prompt response.
It subsequently emerged that Microsoft Office files containing code that exploited flaws in Adobe's Flash player software were used to pull off corporate espionage against Windows-using businesses in the aerospace industry. Security experts at Lockheed Martin are credited with aiding Adobe; it's a safe bet, therefore, to assume the defence titan was a target of this cyber-spying.
In fairness, all software developers have to deal with zero-day vulnerabilities from time to time. Foxit, which makes a PDF-viewing browser plugin to rival Adobe's, was hit by one such calamity only last month. But Adobe Flash is second only to Oracle's Java in terms of the number of security exploits targeting software in a modern hacker or cyber-spy's toolkit; any un-patched holes in Adobe's software are often seized and attacked in a race against the vendor and users. ®