Infosecurity.US

Adobe Systems, Inc. (NasdaqGS: ADBE) has released a security update for it’s nearly universal media player franchise: Flash. Concurrent with the Flash update, the company managed to fully fail in mitigating the highly critical vulnerability resident within the company’s PDF viewer and authoring tool sets Adobe Acrobat and Acrobat Reader, across all platforms. News that the company was made aware of the issue in mid-January fuels speculation of a level of incompetence reminiscent of the seemingly never-ending blunders committed by Microsoft Corporation (NasdaqGS: MSFT)…  A short snippet, from The Washington Post’s Security blogger Bryan Krebs appears after the jump, with further information. Read it and weep.

From The Washington Post’s SecurityFix blog [authored by Bryan Krebs]: “Adobe Urges Stopgap Changes To Blunt Cyber Threat

Adobe Systems Inc. has found itself in the midst of a public relations maelstrom of the sort once reserved only for Microsoft Corp., as security experts chastise the company for not moving fast enough to address a critical security hole in its products even as third-party software makers offer makeshift fixes for the flaw. On Feb. 19, experts at Shadowserver.org, a volunteer-led security group, let the world know that bad guys were attacking an unpatched security flaw in Adobe Acrobat and Reader to break into systems when users opened booby-trapped .PDF files. The Shadowserver guys said one way to mitigate this threat was to disable the rendering of Javascript within these programs… Brad Arkin, Adobe’s director for product security and privacy, said the company was alerted on Jan. 16 about the presence of malware exploiting the flaw, though he declined to say which organization alerted them to that fact. When asked why the company had not offered instructions on how to mitigate the threat by disabling Javascript in its products, Arkin said Adobe wanted to make sure the fix they presented was complete. “Disabling Javascript is one way to prevent a particular class of attacks [from this flaw], but it doesn’t address the root vulnerability itself,” Arkin said. “Our focus when we were first informed about this was to try to focus our efforts to get a patch out to all users.” In the hours since that interview with Security Fix, Adobe updated its advisory to recommend that users disable Javascript support until the company releases a patch to fix the flaw…”

• Acrobat Security update (blogs.adobe.com)
• Unofficial Adobe Reader Patch Released (ghacks.net)
• Adobe Reader and Acrobat Issue update (blogs.adobe.com)
• Adobe Fixes Software Flaw Exposed by Core Security (xconomy.com)