Adobe released its first regularly scheduled set of quarterly security patches today for its Reader and Acrobat products, coinciding with a heavy Patch Tuesday release from Microsoft.
The critical fixes addressed 13 vulnerabilities in Adobe Reader and Acrobat versions 9.1.1 for Windows and Macintosh. The update fixes a stack overflow vulnerability that could be exploited by an attacker to execute code and an integer overflow flaw that could lead to a denial of service condition.
Adobe's update also fixes how Acrobat and Reader handle JBIG2, an image compression format used to convert binary images. The programs contained several memory corruption issues and multiple heap overflow vulnerabilities, according to the Adobe security bulletin.
In addition, the software maker said the "update resolves Adobe internally discovered issues."
Adobe announced on May 20 its intent to regularly release patches every three months. Increasingly, it's Reader and Acrobat products are the target of attacks; research from F-Secure indicates that almost 49% of targeted attacks against file types were against PDFs. That's up from 29% a year ago Yet, despite the ubiquity of the product's installed base and the increasingly high profile nature of attacks against Adobe, research conducted by Qualys indicates the uptake of Adobe patches isn't very high. In fact, Qualys CTO Wolfgang Kandek said 20% of Adobe Reader installations have been patched in the two months between its March and May patch releases.
"I think it's a mindset thing, a visibility thing," Kandek said. "With Microsoft, there is good visibility of its security patches; you're aware it of and know what Patch Tuesday is.
"I think we have to raise the visibility of the Adobe security issue," Kandek said. "Talk to your patch management systems, make sure auto-update is working."
Brad Arkin, director of product security and privacy at Adobe, wrote on his blog that since February, engineers at Adobe have been concentrating heavily on software security, especially around code hardening, improving incident response and processes, and providing regular security updates.
Arkin wrote that Adobe new code and features for Reader and Acrobat must pass muster with the company's Secure Product Lifecycle (SPLC).
"The Adobe SPLC integrates standard secure software activities such as threat modeling, automated and manual security code reviews, and fuzzing into the standard Adobe Product Lifecycle we follow for all projects," Arkin wrote. He added that this is standard for new code, but does not exist threats in existing products. To address those issues, Adobe engineers have been hardening at-risk areas of legacy code, he wrote.
"Even in cases where no immediate vulnerability was identified, we have been strengthening input validation on a best-practice basis," Arkin wrote. "Experience shows such validation is a powerful tool in preventing as-yet unidentified security holes."
Kandek thinks Adobe's quarterly releases are a step in the right direction.
"But I think the three-month cycle is too slow," Kandek said. "Vulnerabilities come up faster than every three months. We dealt with a zero-day vulnerability six weeks ago (April 28), and now another set of patches is ready. That tells me they have enough volume to do monthly releases."