IT workers are not being vigilant enough about patching critical vulnerabilities in Adobe, according to Qualys CTO Wolfgang Kandek, which could be a reason why attackers continue to target Adobe programs.
Qualys: IT Admins Neglecting Adobe Patches Late last week Adobe Reader and Acrobat were hit with a zero-day exploit that, if acted on, could crash the programs and allow an attacker to take over a entire system. Adobe acknowledged the problem in a blog post on May 1.
The company said an update was forthcoming for Adobe Reader versions 9.X, 8.X, and 7.X and Acrobat versions 9.X, 8.X, and 7.X, Macintosh updates for Adobe Reader versions 9.X and 8.X and Acrobat versions 9.X and 8.X, as well as Adobe Reader for Unix versions 9.X and 8.X, by May 12th, 2009.
While that seems like a long time wait for a patch, the company may be coordinating release with Microsoft's Patch Tuesday, which occurs on the second Tuesday of every month, since so many machines operating Windows also run Adobe products. Perhaps by doing so the patch can get as widespread attention as possible.
In the meantime, Adobe recommends a workaround that involves disabling JavaScript on Acrobat and Adobe Reader. Securityfocus BID 34736 shows the rather straightforward exploit code, affecting Windows, Macs, and Linux.
This is the second zero-day announcement for Adobe this year, but Kandek doesn't place culpability for compromised systems square on Adobe. Kandek says IT administrators largely neglected to install the previous patch, released on March 10, probably because of it is relatively difficult to implement. After the previous patch was released, Qualys found no significant reduction in exploitable machines.
"If this trend continues to persist for the Adobe Reader vulnerabilities," said Kandek, "attackers don't need to rush anymore, they can take their time in figuring out the best way to get an infected PDF file into their victims"