There has been extensive news coverage this week of Adobe’s plans for ramped-up security in its popular Reader, Acrobat and Flash Player applications, especially the Reader and Acrobat updates promised next week.
A vulnerability that was publicized in December in Reader and Acrobat allows an attacker to execute arbitrary code with a specially crafted PDF file using ZLib compressed streams. In a short time, proof-of-concept code was made public. In the past week, anti-virus companies began intercepting malicious .pdf files that exploit the vulnerability to install a back door on victims’ machines.
Adobe applications were targets of malware earlier in 2009 too and at least one anti-virus company predicted that in the coming year Adobe products probably will be exploited frequently.
The good news for the company is that Adobe’s products are so popular that they’re drawing the attention of the dark side. The bad news is… well, pretty much the same thing.
Brad Arkin, Adobe’s director of product security and privacy, apparently has been available to anyone with a blog who wants to talk about Adobe’s security ramp up, including this very detailed interview on Kaspersky’s Threatpost blog.
The real takeaway for the average computer user is that Adobe is making major changes in their security practices. Releasing patches on Microsoft’s “Patch Tuesday” each month — something they began in 2009 — being a significant one. Arkin has said, the company will launch a beta trial of an updater this month and it should find its way into default installs of Adobe Reader and Acrobat shortly.
Users will be able to opt out of the automatic updates. That feature will be handy for the information technology staff which is responsible for updates enterprise-wide.
It’s a good approach and Reader and Acrobat users should keep alert for the updates and instructions for configuring their installations.
Congratulations Adobe for being so popular you’re in the cross hairs of malicious operators worldwide… I think.
eWeek story here: Adobe Keeps Focus on Security in 2010 as Attackers Circle