Every month the BugBlog picks its Bug of the Month, representing the most significant bug found in the past month. Sometimes, the bug will be the one which could potentially cause the most damage; sometimes it will be the bug which affects the most users. And sometimes, it will be the bug that is just the most interesting bug. This bug will be selected either from the free Bug of the Day, or from the subscription-only BugBlog Plus.
This month the Bug of the Month goes to Adobe for the problems in Adobe Reader and Adobe Acrobat. The first report was on January 4:
There are a number of bugs in the Adobe Acrobat Plug-In for browsers, and in the free Adobe Reader 6 and 7. A malicious website may be able to carry out cross-site scripting attacks because the browser plug-in doesn't correctly validate URI parameters. There's no official word from Adobe, although US CERT says that it appears the bugs were fixed in Adobe Reader 8. Read their report. Stefano Di Paola, Giorgio Fedon, and Elia Florio are credited with finding these bugs. UPDATE: Adobe now has a bulletin online.
The reason for the update in that bug report was that Adobe didn't have a bulletin online when the US CERT report (and BugBlog item) was first reported. The next BugBlog item came on January 10:
Adobe now has a patch for the security problems in Adobe Reader and Acrobat 7.0.8 and earlier versions. The bugs, which were in the 1/4 BugBlog, may allow both cross-site scripting attacks and the ability of the attackers to take over the victim's computer. Adobe's earlier advice was to upgrade to the Adobe Reader 8. They now have a patch that will fix version 7.0.8 of the Reader as well as Acrobat Elements, Standard, and Professional. (Good news for those latter users, since the upgrade from 7.0.8 to 8.0 will normally not be free). Get the patch.
Why this bug? First, because of the wide-spread use of Adobe Acrobat. Just about everyone has either the Adobe plug-in for their browser or the Adobe Reader software installed. The Adobe Acrobat software, either Elements, Standard or Professional, is not as universal, but still has a rather large installed base. Thus, the bug affects lots of users.
.jpg?t=20120527181101)
Article comments
1 - John Dowdell
Hi, any threat to your computer's security or to your own privacy is serious, and must be guarded against. But this particular situation may not be as grim as readers might think, particularly if you already keep up to date on your internet software.
Older versions of Adobe Reader could indeed pass JavaScript requests to your browser, leading them to potential cross-domain confusion, but last year's free Adobe Reader 8 had closed off that potential exploit before it became publicized.
Not everyone with internet access is a nice person. Keeping up-to-date with your internet software is a good way to keep them from taking advantage of you. Thanks in advance if you can help spread this word!
tx, jd/adobe
2 - ProfEssays
I hope that other programs are not so vulnerable.