June 10, 2009, 9:30 AM — Adobe issued its first regularly-scheduled security updates on Tuesday, fixing at least 13 critical flaws reported by outside researchers and secretly patching an unspecified number of bugs found by its own team.
Today's update to Adobe Reader and Adobe Acrobat comes three weeks after the company said it had revamped its security practices, and would root out vulnerabilities in old code, speed up its patching process and release regular security updates for the often-attacked PDF applications.
At the time, Adobe announced it would piggyback its quarterly updates on Microsoft's monthly Patch Tuesday, but declined to set a start date. Last Thursday, however, the same day that Microsoft issued its usual advance notice of impending patches, Adobe did the same.
"This is the first quarterly security update for Adobe Reader and Acrobat...and incorporates the initial output of code hardening efforts," Wendy Poland of Adobe's security team in a brief post to the group's blog Tuesday. "Today's updates also address externally reported issues, as detailed in our Security Bulletin."
Poland said that Adobe wasn't aware of any in-the-wild exploits for the just-patched bugs.
As is its usual practice, Adobe described the 13 vulnerabilities reported by outsiders in terse terms. "This update resolves multiple heap overflow vulnerabilities in the JBIG2 filter that could potentially lead to code execution," Adobe acknowledged in the note accompanying six of the baker's dozen.
Adobe credited 10 researchers or organizations for reporting the Reader/Acrobat vulnerabilities, including the TippingPoint bug bounty program, Apple's security team and Mark Dowd of IBM Internet Security Systems' X-Force, a researcher who frequently roots out Adobe bugs.
But the company also acknowledged that it had plugged an unknown number of holes its own researchers uncovered. "Additionally, this update resolves Adobe internally discovered issues," the security bulletin said near its end. Adobe offered no additional information, such as the number, the severity and the nature of those bugs, however. Microsoft has been roundly criticized in the past when researchers have suspected that it's secretly patching problems without giving users the usual amount of information about the bugs.
Adobe didn't escape that criticism today. "They really haven't done a good enough job in this first release," said Andrew Storms, director of security operations at nCircle Network Security, who has taken Adobe to task in the past over such issues as its patch pace.
"At the time of the bulletin's release, none of the vulnerabilities were public, so we know only what they've told us," Storms said. "Then they have this disclaimer at the end about internally discovered issues. That leaves lots of questions. Were those bugs in JBIG2, too? Were they bugs that had been fixed before, and this was an update?"
Eight of the 13 vulnerabilities Adobe described as coming from outside researchers involved JBIG2 files, an image compression format. Storms' questions about whether the unspecified bugs involve JBIG2 have merit: Earlier this year, hackers exploited the popular Adobe Reader software for weeks by leveraging a JBIG2 bug before the company patched the program.
"While Adobe is attempting to increase the frequency of patching and being clearer about what they patch, they still have a long way to go to make it to the Microsoft bar, which is what everyone's trying to do," said Storms, referring to the standards he sees Microsoft having set in bug and patch disclosure.
As a result of the security update, Adobe has released new editions of both Reader and Acrobat. Versions 9.1.2, 8.1.6 and 7.1.3 of each include the patches, the company said.
The company released Windows and Mac versions of Reader/Acrobat 9.1.2 today, but as it has before, didn't have the Unix/Linux edition finished. "Security updates for Adobe Reader on the Unix platform will be available on June 16, 2009," said Adobe's advisory.
Swa Frantzen, an analyst at SANS Institute's Internet Storm Center (ISC) who last month took Microsoft to the woodshed for doing the same thing -- releasing updates for Windows PowerPoint, but not fixes for the Mac version of the presentation maker -- didn't care for Adobe's method either.
"[This] effectively gives the attackers time to reverse engineer the vulnerabilities from the patches for Windows and Mac and build exploits for the Unix versions without those users having any chance to patch," said Frantzen in a post to the ISC site today.
Adobe and Acrobat 9.1.2, 8.1.6 and 7.1.3 can be downloaded for Windows and the Mac from links published in the security advisory.