With Adobe Reader Zero-Day Circulating, Patching for Older Bug Lags
While Adobe Systems works to patch the recent zero-day bug discovered in its Adobe Reader and Acrobat products, new data from Qualys suggests many users are so behind in patching that hackers needn't feel rushed to exploit the flaw.
"If this trend continues to persist for the Adobe Reader vulnerabilities, which it has in all 2008 and as demonstrated in Laws 2.0 [PDF], attackers don't need to rush anymore; they can take their time in figuring out the best way to get an infected PDF file into their victims," opined Wolfgang Kandek, CTO of Qualys.
It is a common scenario. In Microsoft's Intelligence Report for the second half of 2008, Microsoft found that 91.3 percent of attacks against Microsoft Office exploited a single vulnerability that was patched more than two years ago (CVE-2006-2492). For a multitude of reasons, patching for both enterprises and home users lags after fixes, leaving holes open for hackers.
"We are working on a development schedule for these updates and will post a timeline as soon as possible," David Lenoe wrote on the Adobe security blog. "We are currently not aware of any reports of exploits in the wild for this issue."