Yesterday, one day ahead of the initial schedule Adobe released a patch for a critical vulnerability in Adobe Reader 9. Patches for v8 and v7 are expected next week, a version for Unix in another 2 weeks. The vulnerability (APSA09-01) can be used by an attacker to take control of the affected system. Targeted exploits had been reported by a number of security companies (Symantec, McAfee) in February.
Adobe was first notified of the problem in January and has been working for the last 2 months to develop and test the patch and is finally ready to get it out to its users. According to our data Adobe Reader is a widely installed software package and I would expect that most PCs have a copy of it. 2 months is a rather long time to address the issue and it makes me wonder whether Adobe has a setup to react to security flaws, without going through normal product cycles. Vulnerabilities of such magnitude need to be handled out-of-band, through a dedicated team that has the resources to quickly develop, test and publish the fix.
If you are still not convinced that this is a highly critical security flaw, I suggest that you take a look at Didier Stevens’s blog, where he demonstrates in a video a number of ways to infect a vulnerable machine by just looking at an infected document and another way that uses the Windows Indexing Service to run the exploit and give control of the machine to the attacker. This latter one requires no user action at all.
We will monitor closely the adoption of the patch, however considering that so far my Adobe Reader has not prompted me to upgrade my software I am doubtful the adoption will be quick enough. Stay tuned…