Adobe Fixing 0-Day Exploit in One Month
Adobe isn't addressing the problem until next month in its quarterly security update.
Adobe said yesterday that it plans to ship a patch for the recent 0-day exploit discovery (CVE-2009-4324) on January 12. This blog from the Adobe Secure Software Engineering team provides an explanation on the delay, claiming that any attempts to work on an immediate, "out-of-cycle" fix would postpone the next quarterly security update for Reader and Acrobat, scheduled on the same date.
"The team determined that by putting additional resources over the holidays towards the engineering and testing work required to ship a high confidence fix for this issue with low risk of introducing any new problems, they could deliver the fix as part of the quarterly update on January 12, 2010," the company said.
Adobe also said that customer schedules depend on the January 12 security update, especially organizations that are preparing for the update next month. Delaying the update would have a negative impact on businesses. Additionally, an informal poll with those businesses determined that holding off on an immediate patch was best.
As stated yesterday, the best option for consumers at this point is to disable JavaScript in Reader and Acrobat until the company addresses the 0-day exploit next month. To do this, simply click on Edit and choose Preferences. Click JavaScript on the left-hand menu and make sure to uncheck Enable Acrobat JavaScript.
- Sony Launches MMOG within PlayStation Home
- Zune HD Twitter App Censors Swearing
- Modern Warfare 2 Virus Infects Xbox Live
- Plurk to MSFT: ''Sorry'' Just Isn't Good Enough
- Console Theft Rose 285% in 3 Years
- Top 10 Most Watched & Searched Videos of 2009
- VIDEO: MIT's Traffic and Pollution Tracking Wheel
- Adobe Investigating Reports of Acrobat Exploits
- FBI Finally Arrests Alleged ''Wolverine'' Uploader
- Facebook CEO: I Wanted People to See My Pics
- Stop Light With a Progress Bar to End Road Rage
- Blu-ray 3D Specification Finalized, is PS3 Ready
- Study: Wii Fit is Not Making Your Family More Fit
- iPhone Used to Locate Friends, Enemies in War
- Amazon: Kindle for Blackberry is Coming
- Report: Google to Buy Yelp for $500 Million
- Formal Complaint About Facebook Filed With FTC
- Microsoft Sued Over Use of 'Bing' Name
- Twitter Hacked By "Iranian Cyber Army"
so nice of them to respond promptly and immediately!
Good thing that other PDF readers are NOT affected by this. . .
'We know full well that using our software puts you at risk, but we have a schedule to keep thankyouverymuch. In the meantime, just cross your fingers. Oh and we won't be advertising or warning anyone about the problem.'
I smell a lawsuit...
At least they aren't as bad as Apple waiting 8 months to fix a drive by download attack on their Java implementation.
This is and always has been the first change I make to reader's configuraton and doing so has thwarted several drive-by attempts over the past few years. PDFs almost never contain useful javascript - and i'm being generous in adding "almost".
There have been so many security issues with read over the years that I just don't even bother installing it anymore. I just use google's pdf reading abilities.
Foxit reader FTW. I switched a while ago and not looking back.
They probably wish they could photoshop the glitch away.
Best thing to do is to use different pdf reader.
Adobe to abandon its reader and make it open source due to its "failures."
Why does a document reader need javascript support in the first place? If the document is that complex it more then like should have been made into flash, silverlight, or HTML.
I'm still waiting for them to fix the cross domain execution that is allowing flash based ads to infect PCs with vundo strains.
I agree Foxit reader FTW.