Every month the BugBlog picks its Bug of the Month, representing the most significant bug found in the past month. Sometimes, the bug will be the one which could potentially cause the most damage; sometimes it will be the bug which affects the most users. And sometimes, it will be the bug that is just the most interesting bug. This bug will be selected either from the free Bug of the Day, or from the subscription-only BugBlog Plus.

This month the Bug of the Month goes to Adobe for the problems in Adobe Reader and Adobe Acrobat. The first report was on January 4:

There are a number of bugs in the Adobe Acrobat Plug-In for browsers, and in the free Adobe Reader 6 and 7. A malicious website may be able to carry out cross-site scripting attacks because the browser plug-in doesn't correctly validate URI parameters. There's no official word from Adobe, although US CERT says that it appears the bugs were fixed in Adobe Reader 8. Read their report. Stefano Di Paola, Giorgio Fedon, and Elia Florio are credited with finding these bugs. UPDATE: Adobe now has a bulletin online.

The reason for the update in that bug report was that Adobe didn't have a bulletin online when the US CERT report (and BugBlog item) was first reported. The next BugBlog item came on January 10:

Adobe now has a patch for the security problems in Adobe Reader and Acrobat 7.0.8 and earlier versions. The bugs, which were in the 1/4 BugBlog, may allow both cross-site scripting attacks and the ability of the attackers to take over the victim's computer. Adobe's earlier advice was to upgrade to the Adobe Reader 8. They now have a patch that will fix version 7.0.8 of the Reader as well as Acrobat Elements, Standard, and Professional. (Good news for those latter users, since the upgrade from 7.0.8 to 8.0 will normally not be free). Get the patch.

Why this bug? First, because of the wide-spread use of Adobe Acrobat. Just about everyone has either the Adobe plug-in for their browser or the Adobe Reader software installed. The Adobe Acrobat software, either Elements, Standard or Professional, is not as universal, but still has a rather large installed base. Thus, the bug affects lots of users.

Second, this points out that PDF documents can cause problems, which is unfortunate because at this time many people may be suggesting PDFs as a replacement strategy for exchanging documents. The reason you may need a replacement strategy is that there are currently four unpatched zero-day bugs affecting Microsoft Word (see the January Bug of the Month for coverage of this), and you may have reason to be a little paranoid about Word docs that show up as email attachments. While you may wish to suggest PDFs as a replacement, you cannot suggest that they themselves never have security problems.