With Adobe Reader Zero-Day Circulating, Patching for Older Bug Lags

As users await a patch for the latest zero-day flaw affecting Adobe Reader and Acrobat, they should check to make sure their defenses for other vulnerabilities are up-to-date. Research from Qualys shows that many users have still not applied a patch for the zero-day security hole Adobe Systems fixed in March.

While Adobe Systems works to patch the recent zero-day bug discovered in its Adobe Reader and Acrobat products, new data from Qualys suggests many users are so behind in patching that hackers needn't feel rushed to exploit the flaw.

According to Qualys, there has been no significant reduction in the number of machines vulnerable to APSA09-01, a zero-day bug patched by Adobe more than a month ago.

"If this trend continues to persist for the Adobe Reader vulnerabilities, which it has in all 2008 and as demonstrated in Laws 2.0 [PDF], attackers don't need to rush anymore; they can take their time in figuring out the best way to get an infected PDF file into their victims," opined Wolfgang Kandek, CTO of Qualys.

It is a common scenario. In Microsoft's Intelligence Report for the second half of 2008, Microsoft found that 91.3 percent of attacks against Microsoft Office exploited a single vulnerability that was patched more than two years ago (CVE-2006-2492). For a multitude of reasons, patching for both enterprises and home users lags after fixes, leaving holes open for hackers.

In the case of the latest Adobe bug, the vulnerability stretches across all supported versions of Adobe Acrobat and Reader on the Windows, Mac and Unix platforms. Proof-of-concept exploit code for the flaw, described as the "Adobe Reader 'getAnnots()' JavaScript Function Remote Code Execution Vulnerability" by SecurityFocus, is already circulating on the Internet.

While users wait for a patch, Adobe suggests they disable JavaScript in the PDF reader. To do so, follow the instructions on the Adobe security blog.

"We are working on a development schedule for these updates and will post a timeline as soon as possible," David Lenoe wrote on the Adobe security blog. "We are currently not aware of any reports of exploits in the wild for this issue."