Adobe Confirms Critical PDF Fix, Will Issue Bulletin
Here's a quick update on the Adobe Reader silent fix I wrote about earlier today.
Adobe spokesperson John Cristofano sent me a statement confirming the severity of the vulnerability fixed with Adobe Reader 8.1.2 and promising that a detailed bulletin is on tap for release later.
Here's the full statement.
On Feb. 6, Adobe made available an update to Acrobat and Adobe Reader 8.x. It updates the Windows and Mac versions of Acrobat to 8.1.2, and the Windows, Mac, Linux and Solaris versions of Adobe Reader to 8.1.2.
In addition to addressing bug fixes and providing support for Mac OS X Leopard (up through version 10.5.1), the update includes several important security fixes, among them a few of critical severity that could be remotely exploitable.
Adobe recommends users of Acrobat and Adobe Reader 8.x install the update to protect themselves.
Adobe plans to share further information on the topic within a few days via the company's Security Bulletins and Advisories page, at which point the company has completed the process of responsible disclosure with third-party stakeholders.
This is a very serious vulnerability. I've tested the Immunity proof-of-concept exploit and can confirm that the attack vector -- code execution via Internet Explorer -- is real. Apply that patch now.