By Joel Hruska | Published: February 12, 2008 – 02:05PM CT
Adobe’s 8.12 update supposedly plugs the loopholes that the Zonebac delivery system exploited, but the company has declined to give any information on what, exactly, the update changed. The lack of information is disappointing (though not surprising), but Adobe’s failure to address the issue in a timely manner raises questions about the firm’s commitment to security. An 18-day gap between the appearance of a verified exploit and the release of a patch isn’t exactly impressive, and this particular issue had been on Adobe’s radar for months. iDefense Labs first reported the existence of this particular buffer overflow vulnerability in early October 2007.
The attack has raised some questions regarding the security of the PDF standard—Symantec researcher Hon Lau discusses the relevant PDF vulnerability in his blog before rhetorically asking: “With more and more of these attacks happening, how much longer will it be before people implicitly attach a higher risk association to PDF files and avoid them altogether?”
To answer his question, some of us already do. While there’s not a whole lot of evidence suggesting that the PDF standard is under concerted attack, there mere existence of these exploits affects perception of them, and Adobe is doing itself no favors. Granted, we still know far, far more people who were infected via JPGs, DOCs, and the like, but this isn’t Adobe’s first high-profile security issue. Hon Lau covered a different cross-scripting attack that also exploited a PDF vulnerability back in January 2007. Ironically, Adobe recommended users update to Reader 8 as one way of solving the problem.
Given the file format’s popularity and ubiquity, Adobe has a very strong interest in keeping PDF as secure as possible; if it fails to do so, it opens the door for competing standards such as Microsoft’s XML Paper Specification (XPS). These recent attacks, in and of themselves, aren’t enough to steer businesses away from a trusted format they may have been using for decades, but Adobe may need to adjust the way in which it communicates with customers and the speed with which it delivers its security patches. PDF files have been traditionally represented as safe for download or viewing, which makes the need to stay ahead of hackers—rather than nearly three weeks behind them—all the more important.