In the wake of the zero-day attacks against Adobe’s Acrobat and Reader product lines, the company is taking a lot of flack for its poor response to handling the issue — specifically around communicating the risks and providing migitation guidance for end users.
Over on the ZDNet Zero Day blog, I lament the absence of real workarounds:
The company did not offer any details on the actual vulnerability. It did not provide workarounds. It did not provide mitigation guidance. Adobe simply rehashed what we already knew and confirmed that the public mitigation guidance from third parties is/was not definitive.
Larry Seltzer at eWEEK goes a step further, arguing that companies that hide vulnerability information and take months for critical patches don’t serve their users well:
[W]hat’s really galling is the absence of any information provided by Adobe on the vulnerability until today. That information, in a post on the Adobe Product Security Incident Response Team (PSIRT) blog, is mostly a bunch of links to anti-malware products from third parties and a few advisories from outsiders on the issue, not details from Adobe.
And more:
At a time when it knew the vulnerability was being exploited in the wild and must have had samples, Adobe sat on the information. They only disclosed anything after the Shadowserver people forced its hand. Adobe customers, if they have brains, will find and use the outsider tools such as the Sourcefire stuff, but Adobe should be providing this information… The people who write the malware have access to this information if they want. It’s only the honest people who are harmed when companies fail to disclose.
HD Moore’s essay on the issue is also instructive reading on how not to handle security response:
The strongest case for information disclosure is when the benefit of releasing the information outweighs the possible risks. In this case, like many others, the bad guys already won. Exploits are already being used in the wild and the fact that the rest of the world is just now taking notice doesn’t mean that these are new vulnerabilities. At this point, the best strategy is to raise awareness, distribute the relevant information, and apply pressure on the vendor to release a patch.
Moore draws a clear distinction between Adobe and Microsoft when it comes to security response and communicating information to affected customers:
Adobe has scheduled the patch for March 11th. If you believe that Symantec notified them on February 12th, this is almost a full month from news of a live exploit to a vendor response. If the vendor involved was Microsoft, the press would be tearing them apart right now. What part of “your customers are being exploited” do they not understand?
For what it’s worth, someone needs to modify the publicly available PSIRT process to include workarounds and mitigation guidance to end users.
Here’s a nifty timeline of the publicly known information on the vulnerability/attacks.