Adobe Fixes Recent PDF Flaw, But Not Before Auto Exploit

SkiifGeek writes "With Adobe's patch for the JBIG2Decode vulnerability due in a few days time, new methods to target the vulnerability have been discovered that make it far riskier than previously thought. Didier Stevens recently showed the world how it is possible to exploit the vulnerability without the user actually opening an affected file, and now he has discovered a way that allows for completely automated exploitation that results in anything up to a Local System account without any user interaction at all and only relies upon basic Windows components and Acrobat Reader elements. There are some mitigating factors that limit the overall risk of this new discovery, but it does also highlight that merely uninstalling the Reader will not protect you from exploitation and does raise the possibility that other tools will access the vulnerable components and thus be vectors for attack." However, the fix is now in: nk497 writes "Adobe had finally released a fix for a PDF vulnerability discovered — and already exploited — last month. The update only applies to the most recent versions of Reader and Acrobat, with early versions and Unix editions not fixed until later this month. Adobe has taken its time with the patch, despite an independent security researcher releasing her own fix just days after the flaw was announced."

What about 6,7 and 8?

[fluor2]

We have dozens of Acrobat Pro 6, 7 and 8 installs. How do we fix them? Are they vulnerable? Will Adobe use this to take advantage of the market?

Re:Uninstalling doesn't help??

[nate_in_ME]

I don't believe that DLL sharing was ever really a space issue, but rather a situation where developers did not want to reinvent the wheel. For example, look at Firefox's "IE Tab" extension. This is possible because the MSHTML rendering engine that IE uses is also available for other programs to connect into as well. Without DLL sharing, there would be no real way to create something like this...

Re:Uninstalling doesn't help??

[erroneus]

Unfortunately it would still be for the best. Very often software is written to link to misbehaving functions and system calls quite often. Updating a single DLL can break as much or more than it fixes. Truly there are arguments for either side of that position. But ultimately when it comes to a "software product" it should be as self-contained as possible. One vendor should not be capable of rendering another program useless by updating a single DLL. Applications should be compartmentalized and self contained and especially not linked into the operating system.

The patch is bigger than the install?

[ThreeGigs]

Patch for Reader: 103 MB
Fresh download of Reader: 41 MB

Am I the only one who thinks that a bit odd?