As users await a patch for the latest zero-day flaw affecting Adobe Reader and Acrobat, they should check to make sure their defenses for other vulnerabilities are up-to-date. Research from Qualys shows that many users have still not applied a patch for the zero-day security hole Adobe Systems fixed in March.
While
Adobe Systems works to patch the recent zero-day bug discovered in its
Adobe Reader and Acrobat products, new data from
Qualys
suggests many users are so behind in patching that hackers
needn't feel rushed to exploit the flaw.
According to Qualys, there has been
no significant
reduction in the number of machines vulnerable to APSA09-01,
a
zero-day bug patched by Adobe more than a month ago.
"If this trend continues to persist for the Adobe Reader
vulnerabilities, which it has in all 2008 and as demonstrated in
Laws 2.0 [PDF], attackers don't need to rush
anymore; they can take their time in figuring out the best way to get an
infected PDF file into their victims," opined Wolfgang Kandek, CTO
of Qualys.
It is a common scenario. In Microsoft's Intelligence Report for the second
half of 2008, Microsoft found that 91.3 percent of attacks against Microsoft
Office exploited a single vulnerability that was patched more than two years
ago (CVE-2006-2492). For a multitude of reasons,
patching
for both enterprises and home users lags after fixes, leaving holes open
for hackers.
In the case of the latest Adobe bug, the vulnerability stretches
across all supported versions of Adobe Acrobat and Reader on the Windows,
Mac and Unix platforms. Proof-of-concept exploit code for the flaw, described
as the "Adobe Reader 'getAnnots()' JavaScript Function Remote Code Execution
Vulnerability"
by
SecurityFocus, is already circulating on the Internet.
While users wait for a patch, Adobe suggests they disable JavaScript in the
PDF reader. To do so,
follow
the instructions on the Adobe security blog.
"We are working on a development schedule for these updates and will
post a timeline as soon as possible," David Lenoe wrote on the Adobe
security blog. "We are currently not aware of any reports of exploits in
the wild for this issue."
Email
Print
