Adobe patches hole after exploits found in the wild

How late it was, how late

Published: 11 March 2009 15:05 GMT by Elinor Mills

Show related articles

Adobe Systems on Tuesday issued a security update to fix a critical vulnerability in Adobe Reader 9 and Acrobat 9, which has already been exploited by malware writers.

The vulnerability could allow an attacker to take complete control of a computer, and exploits for it have reportedly existed in the wild for nearly two months.

Adobe alerted users about the vulnerability more than two weeks ago and promised to have a security update for it by 11 March.

Attackers could take advantage of a hole on unpatched systems to overwrite memory with a buffer overflow and install a backdoor through which to control the system remotely.

In its advisory, Adobe said it plans to provide security updates for Adobe Reader 7 and 8 and Acrobat 7 and 8 by 18 March and for Adobe Reader 9.1 for Unix by 25 March.

Meanwhile, the US Computer Emergency Readiness Team (US-Cert) said on Tuesday it is aware of public reports of two new attack vectors for the vulnerability involving the Windows Indexing Service that indexes PDF files and the Windows Explorer Shell Extension.

The vulnerability can be exploited with little or no user interaction if the Windows Indexing Service processes a malicious PDF file stored on the system or Windows Explorer displays a folder containing a malicious PDF file, the Cert advisory said.

Earlier in the day, Microsoft issued updates for a number of critical and important vulnerabilities in Windows as part of this month's Patch Tuesday.

One security expert criticised Adobe for being late to acknowledge the vulnerability.

Andrew Storms, director of security operations for nCircle, a network and compliance automation firm said: "Having the patch early is a huge benefit but releasing it on the same day as Microsoft's planned March patch spells disaster for enterprise resource planning, and it still leaves Adobe with a black eye for lack of communication."

Adobe had not responded to a request for comment at the time of writing.