On the heels of a Black Hat conference presentation where researcher Charlie Miller provided details of an exploitable vulnerability in Adobe’s PDF Reader software, the company plans to ship an out-of-band patch to ward off malicious hacker attacks.

Miller’s presentation did not include technical details of the flaw but attendees were able to piece together clues to determine that the flaw could lead to code execution attacks with rigged PDF files.

Adobe’s Product Security Incident Response Team (PSIRT) was also able to confirm the issue and prepare an emergency patch that will be released for Adobe Reader and Acrobat during the week of August 16, 2010.

From Adobe’s pre-patch advisory:

This update will resolve critical security issues in Adobe Reader 9.3.3 for Windows, Macintosh and UNIX, Adobe Acrobat 9.3.3 for Windows and Macintosh, and Adobe Reader 8.2.3 and Acrobat 8.2.3 for Windows and Macintosh, including CVE-2010-2862 which was discussed at the Black Hat USA 2010 security conference on Wednesday, July 28, 2010.

Adobe said it was not aware of any exploits in the wild around any of the vulnerabilities that will be fixed in this out-of-band update.

Categories: Malware, Vulnerabilities

Comment (1)

  1. Doctor72

    I’m an IT Professional and my thinking when the announcement was made that Microsoft would be teaming up with Adobe as security partners was that this was like Laurel and Hardy teaming up with the 3 Stooges. The the two companies have been holding their own ‘vulnerability Olympics’ for some time and for years they have received Silver and Gold Medals for having the most Vulnerabilities. It’s just a though, but maybe, just maybe, if they put some of their teams, who arp are working on ‘innovation of new products (I mean problems)… And used these resources for a while to fortify their existing products, that malware artists would have far less potential avenues to display their ‘creativity’ and thus consumers would be safer. I know the idea is silly because it would mean smaller fortunes of money would be made by the software giants, but maybe they could label it ‘responsible development’. Maybe a little more of that would bring about some more of that ‘responsible disclosure’ they have wanted but have finally had to change name in an effort to get the same results but make it sound more palatable.. Otherwise, the recent joining of the two mega software giants has already shown to be ‘business as usuall’ with recent critical vulnerabilities having been discovered for both, followed by 2-3 week lag times on security update releases. And as usual, the consumer, the IT professional and the research community just get to look at each other, dumbfounded and helpless, and saying ‘I know it’s only been a month since ‘the last incident, but here we go again.’. I know there will always be malicious minded people finding means to circumvent software protection, but I’m quite sure that if more money were reinvested in preventing outbreaks and in squashing them with even greater speed and precision when they do occur, there would be an impact on what has been years of an exponentially increasing threat landscape. The cost of prevention should pay greatly for both software companies and consumers alike, in the long term. In the meanwhile, thank you for your hard work and dedication, which helps keep those of us in the field posted. Your work is appreciated!


Comments are closed.