Adobe has announced in its Product Security Incident Response Team blog that it has confirmed reports of a new vulnerability in all currently supported versions of Reader on all supported platforms. It states that the vulnerability also affects Acrobat and that it will now develop fixes for all affected products.
- Launch Acrobat or Adobe Reader.
- Select Edit>Preferences
- Click OK
Adobe will also work with anti-virus vendors to help them detect exploits of this problem. There are no reports of exploits in the wild, but proof-of-concept code is out there and malicious PDFs are not uncommon in the wild.
In addition to the PSIRT blog, Adobe will be posting information about updates on this to its Security Bulletins and Advisories page.
Adobe's response to this issue shows an impressive attitude change over its behavior just a few months ago. Its sluggish response to what came to be known as the JBIG2Decode bug brought criticism from the security community both for Adobe's lack of response and help for its customers and for a very slow patch schedule.
We don't know how quickly Adobe will patch these problems, but it certainly seems as if it is taking the communications aspects of vulnerability response seriously, and that's a good sign.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.