Adobe’s usual practice is to release its security updates on a regular monthly schedule in conjunction with Microsoft’s “Patch Tuesday” releases on the second Tuesday of each month. This month, however, Adobe missed the September 9 date with two of its patches, delaying the release of new versions of Adobe Reader and Adobe Acrobat, which are updated to fix eight vulnerabilities.
Five of the vulnerabilities are of the type that can be exploited to allow an attacker to remotely execute code, which in turn can enable the takeover of the system. A delay in patching such critical vulnerabilities can put the millions of computer users who have Reader installed (along with a lesser but large number who are running Acrobat) at risk. Why, then, would the company postpone releasing them?
You guessed it: Adobe announced that they were rescheduling the updates in order to “address issues identified during routine testing.” One could surmise that, after all of the problems and resultant negative PR that Microsoft has gone through recently with patches that caused conflicts and problems ranging from minor to blue screens of death, Adobe and other software vendors might want to err on the side of caution and ensure that patches are thoroughly tested in a variety of configuration scenarios before release, in hopes of avoiding having the same thing happen to them.
The patches were released on Tuesday, September 16 – one week later than expected – and apply to Reader and Acrobat for both Windows and Mac OS X. The newest version numbers are 11.0.9 for both Reader XI and Acrobat XI. Users of Reader X and Acrobat X, who are not able to update to 11.0.9, need to install version 10.1.12.
Adobe has assigned these updates a priority rating of 1, which is the highest rating and indicates vulnerabilities that have a high risk of being targeted in the wild (or are already being targeted). We will recap all of Adobe’s September releases in this month’s Third Party Patch Roundup at the end of the month, but in brief, the vulnerabilities addressed by these patches include a use-after-free vulnerability, a cross-site scripting vulnerability, a denial-of-service vulnerability, two heap overflow vulnerabilities, two memory corruption vulnerabilities and a sandbox bypass vulnerability.
That’s quite a slate of vulnerabilities so now that the patches are available, it’s highly recommended that IT admins get the systems on their networks updated as quickly as possible. Attackers are likely to see this as an opportunity for exploit, especially considering that the release is “out of band” and thus some IT departments may put off patching because it doesn’t fit into their regular schedule, while others have become “patch shy” altogether due to the recent patching problems.
It’s a difficult dilemma for any software vendor to walk the line between rushing fixes out as quickly as they can in an effort to prevent exploits and jumping the gun and letting them go before they’ve been sufficiently tested, resulting in a case of a cure that can be worse than the disease. We’re glad Adobe is being diligent about the testing process, which can save many individual users and IT professionals a great deal of potential grief.