Adobe has released out-of-cycle security updates for its Reader and Acrobat software, including a version of the recently released Flash patch adjusted for Reader’s embedded Flash. The patch addresses vulnerabilities that could be exploited by an attacker, through malicious code within PDF files.
In announcing the patch, Adobe also recognized the help of a third party. The credit, however, did not go to security researcher Charlie Miller, who is widely credited with discovering the vulnerability. Instead, a security bulletin acknowledges that ‘Adobe would like to thank Tavis Ormandy of the Google Security Team for reporting CVE-2010-2862 and for working with Adobe to help protect our customers.’
It is thought that Ormandy contacted Adobe before Miller made the issue known at the Black Hat USA 2010 conference. Wolfgang Kandek, chief technology officer of Qualys, wrote in a blog post that this is ‘an example that illustrates an effect that security researchers have long tried to call attention to: it is possible and seems to happen every once in a while that vulnerabilities are discovered independently, both by security researchers and/or malware writers.’
Adobe plans to release the next quarterly security updates for Reader and Acrobat on October 12. Meanwhile, it recommends that users take advantage of Reader’s update mechanism or follow the appropriate link from the official security bulletin.