adobe01Adobe managed to get the update out a day ahead of schedule which is great because the problem with the pdf bug seems to be getting worst by the day.

On the same day itself, US-CERT published an advisory of a new attack vector discovered by Didier Stevens that require no user intervention to trigger the attack. Also you can read more about it here in DarkReading.

Basically, both said the same thing, all it is required is the Windows Indexing Service and Acrobat 9 to trigger the attack when the PDF file that is loaded with the bug gets triggered by the indexing process.

adobe_updateYou need to download and install the entire package to get to version 9.1, which is puzzling because, there is an update function in version 9.0, which can be configured to check for updates on regular basis but it’s not being use as another channel to push the fix.

I would have thought Adobe would have preferred to use this method instead of asking users to download the entire package.

Not automating this process makes it harder to get the fix out there quickly and rate is lower as well. Maybe Adobe should start following what Google and Firefox did for their software, continuous background checks and self-update.

Another major concern is how many other applications out there today that have embedded Acrobat Reader? Usually, this application requires Acrobat to generate PDF files as an output of its reporting tool.

These companies need to start thinking of releasing their own updates of Acrobat, where one company I know have an Acrobat version stucked at version 4 and never seen a patch since year 2000.

Update 01:

adobe_internetAdditional security measures can be configured to not allow PDF files to connect to the Internet.

Go to Preferences, Trust Manager & Internet Access from PDF files outside the web browser, click Change Settings.

Update 28 March: Qualys Inc. reported that 2 weeks after Adobe releases Acrobat patches, less than 10% of users bother to patch them.

Advertisements