Qualys Blog

www.qualys.com
wkandek

Adobe Delivers Third Part of the Acrobat Patch Set, But it Seems Nobody Cares!

Yesterday, on 3/24 Adobe delivered the last of their patch set for the critical Adobe Reader and Acrobat vulnerability that has garnered plenty of attention in the past month. Two weeks ago the patch was for v9, last week’s was for v8 and v7 and this week the Linux and Unix population were taken care of. And now we are fully covered, except that nobody seems to care! Our stats fail to show significant traction for this vulnerability, which is different from what we normally see in high profile vulnerabilities (red lines denote availability of the patch week 1 and week 2):


apsb09_003_1b.PNG

Since its initial announcement we have seen overall high occurrence numbers for this vulnerability, comparable only to a critical Microsoft Windows or Office vulnerabilities. I believe that for the following number of reasons we have not seen a downward trend yet:

  • The patch was initially limited to Adobe Reader and Acrobat v9, while the vulnerability exists in v7,8 and 9
  • There does not seem to be an working automatic update mechanism. My Adobe Reader v9 has been sitting running idly fo over a week, even though automatic updates were enabled in the Preferences section
  • This is not a vulnerability by an OS vendor and thus is flying under the radar

This vulnerability requires all our attention; exploits have been around for over 2 months and are readily available to all malware writers. So patch now ! In addition turn off JavaScript in Adobe Reader if you don’t need it in your line of business.Organizations can also evaluate alternatives to Acrobat (search for "adobe reader pdf alternatives" in your favorite search engine) that are potentially less exposed targets, but shop around a bit as some of them have their own flaws and active exploits. I have been using such an alternative for the last 2 weeks and have not encountered any compatibility problems in my usage – reading simple PDF documents.

References:

Leave a Reply