Adobe, still reeling from the public disclosure of a massive breach of source code and customer information, released two security advisories today patching vulnerabilities unrelated to the recent break-in.
The first concerns a vulnerability in Adobe RoboHelp 10 for Windows that could allow an attacker to remotely run malicious code on the underlying system supporting the software. RoboHelp 10 is publishing software that enables users to collaboratively develop HTML 5 websites. Content can also be delivered onto third-party software formats such as PDF and mobile apps.
Adobe gives this vulnerability a relatively low priority rating of 3 and said it is not aware of any public exploits of this bug. The security update can be found here.
The second update patches a javascript issue in Adobe Acrobat and Reader. Version 11.0.05 for Windows of both products are impacted; earlier versions are not vulnerable to the same issue. Adobe added that there are no publicly known exploits available for this vulnerability.
“These updates address a regression that occurred in version 11.0.04 affecting Javascript security controls,” Adobe said.
Adobe, meanwhile, has not commented further on the breach which was made public last Thursday. The company was compromised sometime between July 31 and Aug. 15, and the attack was not discovered by Adobe until Sept. 17. The company disclosed that in addition to the hackers accessing source code for a number of products including Adobe’s ColdFusion Web application server, Acrobat, Publisher and possibly other products, close to three million customer records, including encrypted credit card numbers, were stolen.
On Friday, it was revealed that the gang behind the Adobe attacks had also infiltrated other large companies that were in the process of being notified. The attackers have been active for much of the year using ColdFusion exploits to hit a number of high-value targets. ColdFusion has been patched several times by Adobe this year, going as far back as Jan. 4 when the company reported that ColdFusion exploits were in the wild for unpatched vulnerabilities in the software.
“I would characterize the breach as one of the worst in U.S. history because the source code of an end user product such as Adobe Reader and Adobe Publisher was breached and leaked,” said Alex Holden of Hold Security LLC, who along with security reporter Brian Krebs discovered and investigated a 40Gb stash of Adobe data found online. “This allows additional attack vectors to be discovered and viruses to be written for which there are no defenses.
“This gang is sophisticated and some new things may follow, I’m sure,” Holden said. “The source code leaks and attacks sourced from this situation may be devastating.”