Adobe issues first quarterly patch release fixing 13 flaws

By By Michael S. Mimoso, Editor, Information Security magazine 09 Jun 2009 | SearchSecurity.com

Security UK News Digg This!     StumbleUpon     Del.icio.us

Adobe released its first regularly scheduled set of quarterly security patches today for its Reader and Acrobat products, coinciding with a heavy Patch Tuesday release from Microsoft.

The critical fixes addressed 13 vulnerabilities in Adobe Reader and Acrobat versions 9.1.1 for Windows and Macintosh. The update fixes a stack overflow vulnerability that could be exploited by an attacker to execute code and an integer overflow flaw that could lead to a denial of service condition.

Adobe's update also fixes how Acrobat and Reader handle JBIG2, an image compression format used to convert binary images. The programs contained several memory corruption issues and multiple heap overflow vulnerabilities, according to the Adobe security bulletin.

In addition, the software maker said the "update resolves Adobe internally discovered issues."

Adobe announced on May 20 its intent to regularly release patches every three months. Increasingly, it's Reader and Acrobat products are the target of attacks; research from F-Secure indicates that almost 49% of targeted attacks against file types were against PDFs. That's up from 29% a year ago Yet, despite the ubiquity of the product's installed base and the increasingly high profile nature of attacks against Adobe, research conducted by Qualys indicates the uptake of Adobe patches isn't very high. In fact, Qualys CTO Wolfgang Kandek said 20% of Adobe Reader installations have been patched in the two months between its March and May patch releases.

"I think it's a mindset thing, a visibility thing," Kandek said. "With Microsoft, there is good visibility of its security patches; you're aware it of and know what Patch Tuesday is.

"I think we have to raise the visibility of the Adobe security issue," Kandek said. "Talk to your patch management systems, make sure auto-update is working."

Brad Arkin, director of product security and privacy at Adobe, wrote on his blog that since February, engineers at Adobe have been concentrating heavily on software security, especially around code hardening, improving incident response and processes, and providing regular security updates.

Arkin wrote that Adobe new code and features for Reader and Acrobat must pass muster with the company's Secure Product Lifecycle (SPLC).

"The Adobe SPLC integrates standard secure software activities such as threat modeling, automated and manual security code reviews, and fuzzing into the standard Adobe Product Lifecycle we follow for all projects," Arkin wrote. He added that this is standard for new code, but does not exist threats in existing products. To address those issues, Adobe engineers have been hardening at-risk areas of legacy code, he wrote.

"Even in cases where no immediate vulnerability was identified, we have been strengthening input validation on a best-practice basis," Arkin wrote. "Experience shows such validation is a powerful tool in preventing as-yet unidentified security holes."

Kandek thinks Adobe's quarterly releases are a step in the right direction.

"But I think the three-month cycle is too slow," Kandek said. "Vulnerabilities come up faster than every three months. We dealt with a zero-day vulnerability six weeks ago (April 28), and now another set of patches is ready. That tells me they have enough volume to do monthly releases."

Tags: Secure Coding and Application Programming,  Web Application Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Secure Coding and Application Programming Open source software security tops commercial apps, study finds Improving software with the Building Security in Maturity Model (BSIMM) How to prevent Adobe hacks from affecting your organisation SANS Institute, MITRE release new top 25 dangerous coding errors list Code complexity analysis: How to keep it simple Active PDF attacks target Reader, Acrobat zero-day vulnerability Software piracy group offers cash to whistleblowers SQL injection detection tools and prevention strategies Cross-site scripting explained: How to prevent attacks H.D. Moore speaks about Metasploit Project deal, Release 3.3 Web Application Security Social networking risks, benefits for enterprises weighed by RSA panel How to prevent Adobe hacks from affecting your organisation Securing Web applications with Web application firewalls CISOs take measured steps to reduce social media risks Google to pay for Chrome browser vulnerabilities Facebook, McAfee partner to fix social network security issues PDF attack code complicates security analysis, skirts detection Annual security reports offer some hope Firefox, Opera, Safari browsers top list of high risk software Active PDF attacks target Reader, Acrobat zero-day vulnerability

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Serious Organized Crime Agency  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary