Tech Support Forum - View Single Post - Adobe begins patching cycle with 13 critical fixes

**Glaswegian** · 06-10-2009, 01:32 PM

Adobe has begun its first regularly-scheduled security update, after issuing patches to fix at least 13 critical flaws with Acrobat and Reader.

Today's update to Adobe Reader and Adobe Acrobat comes three weeks after the company said it had revamped its security practices, and would root out vulnerabilities in old code, speed up its patching process and release regular security updates for the often-attacked PDF applications.

At the time, Adobe announced it would piggyback its quarterly updates on Microsoft's monthly Patch Tuesday, but declined to set a start date. Last Thursday, however, the same day that Microsoft issued its usual advance notice of impending patches, Adobe did the same.

"This is the first quarterly security update for Adobe Reader and Acrobat...and incorporates the initial output of code hardening efforts," Wendy Poland of Adobe's security team in a brief post to the group's blog. "Today's updates also address externally reported issues, as detailed in our Security Bulletin."

Poland said that Adobe wasn't aware of any in-the-wild exploits for the just-patched bugs.

As is its usual practice, Adobe described the 13 vulnerabilities reported by outsiders in terse terms. "This update resolves multiple heap overflow vulnerabilities in the JBIG2 filter that could potentially lead to code execution," Adobe acknowledged in the note accompanying six of the baker's dozen.

Adobe credited 10 researchers or organisations for reporting the Reader/Acrobat vulnerabilities, including the TippingPoint bug bounty program, Apple's security team and Mark Dowd of IBM Internet Security Systems' X-Force, a researcher who frequently roots out Adobe bugs.

But the company also acknowledged that it had plugged an unknown number of holes its own researchers uncovered. "Additionally, this update resolves Adobe internally discovered issues," the security bulletin said near its end. Adobe offered no additional information, such as the number, the severity and the nature of those bugs, however. Microsoft has been roundly criticised in the past when researchers have suspected that it's secretly patching problems without giving users the usual amount of information about the bugs.

http://www.techworld.com/security/ne...&NewsID=117275

06-10-2009, 01:32 PM	#1 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 25,556 OS: Win XP Pro SP3 / Win 7 Pro My System Blog Entries: 10	Adobe begins patching cycle with 13 critical fixes Adobe has begun its first regularly-scheduled security update, after issuing patches to fix at least 13 critical flaws with Acrobat and Reader. Today's update to Adobe Reader and Adobe Acrobat comes three weeks after the company said it had revamped its security practices, and would root out vulnerabilities in old code, speed up its patching process and release regular security updates for the often-attacked PDF applications. At the time, Adobe announced it would piggyback its quarterly updates on Microsoft's monthly Patch Tuesday, but declined to set a start date. Last Thursday, however, the same day that Microsoft issued its usual advance notice of impending patches, Adobe did the same. "This is the first quarterly security update for Adobe Reader and Acrobat...and incorporates the initial output of code hardening efforts," Wendy Poland of Adobe's security team in a brief post to the group's blog. "Today's updates also address externally reported issues, as detailed in our Security Bulletin." Poland said that Adobe wasn't aware of any in-the-wild exploits for the just-patched bugs. As is its usual practice, Adobe described the 13 vulnerabilities reported by outsiders in terse terms. "This update resolves multiple heap overflow vulnerabilities in the JBIG2 filter that could potentially lead to code execution," Adobe acknowledged in the note accompanying six of the baker's dozen. Adobe credited 10 researchers or organisations for reporting the Reader/Acrobat vulnerabilities, including the TippingPoint bug bounty program, Apple's security team and Mark Dowd of IBM Internet Security Systems' X-Force, a researcher who frequently roots out Adobe bugs. But the company also acknowledged that it had plugged an unknown number of holes its own researchers uncovered. "Additionally, this update resolves Adobe internally discovered issues," the security bulletin said near its end. Adobe offered no additional information, such as the number, the severity and the nature of those bugs, however. Microsoft has been roundly criticised in the past when researchers have suspected that it's secretly patching problems without giving users the usual amount of information about the bugs. http://www.techworld.com/security/ne...&NewsID=117275 __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. PC Safety & Security::PC running a bit slow?::Donate::Photographers Corner