Well, I’ve still had no information about updates to address the recent Acrobat vulnerability/exploits to either of the addresses I subscribed to Adobe’s Security Notification Service. However, the RSS feed here does work.
Which is how I know that Acrobat Reader 9.1 and 8.1.4 for Unix were released yesterday, right on time. As expected, these address the JBIG2 vulnerability from Security Advisory APSA09-01 and Security Bulletin APSB09-03, which is known to have been exploited by targeted malware.
Happily, Adobe has now advised that some other vulnerabilities we’ve been hearing about have also been addressed in these and the other updates we’ve mentioned previously. Several other JBIG2 issues described by Adobe as critical have now been publicly acknowledged by the company, and a new security bulletin update suggests that discrepancies in patch levels between different versions from 7.x to 9.x have now been regularized.
In an article for Computer World, Gregg Keizer notes some disquiet with Adobe’s secretiveness over the scope of these patches. It doesn’t seem to me that Adobe acted inappropriately in communicating only the vulnerability for which there was a known workaround until a patch was available, as they had no grounds to suspect that there were exploits for those vulnerabilities in the wild.
I’m also pleased to note that 7.1.1 did eventually find its way onto the updates page. However, the staggered update schedule does seem to have confused some of our readers, and I’d advise that if you’re in any doubt as to whether you have the latest version appropriate to your system, that you go back to http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows and re-check.
David Harley BA CISSP FBCS CITP
Director of Malware Intelligence
Author David Harley, ESET