Boston’s Core Security, a provider of automated penetration software and computer security consulting services, published details today of a flaw in some versions of the widely used program Adobe Reader that could leave users’ computers vulnerable to takeover by hackers. Shortly after the company published details of the vulnerability, Adobe announced a software update designed to fix the bug.
The vulnerability, which affects Adobe Reader and Adobe Acrobat version 8.1.2 (but does not affect the more recent Adobe Reader 9 or Adobe Acrobat 9, released this summer), can trigger a common type of software problem called a buffer overflow. Analysts at Core Security discovered back in May that if an Adobe Reader user opens a specially crafted PDF file containing malicious input for a particular JavaScript function in the program, it could allow hackers to overwrite the program’s memory and execute arbitrary code.
The flaw is similar to one that another security company, Secunia Research, discovered last spring in a PDF viewer called Foxit Reader, from Fremont, CA-based Foxit Software. Adobe’s software was initially thought to be immune to the problem, but Damian Frizza, a member of Core’s “exploit writers team,” discovered a second, previously unknown flaw in Adobe Reader and Adobe Acrobat that made the programs vulnerable to the same kind of attack.
The company says it alerted Adobe to the problem on May 27. After several delays over the summer, Adobe finalized a fix for the vulnerability in October, and released it today, in concert with Core Security’s alert about the flaw.
“Generally, what we do when we find vulnerabilities that we consider to be significant and novel is that we notify the vendor first, to give them the chance to produce and publish the fixes,” says Ivan Arce, Core Security’s CTO. “Then we coordinate with the vendor and make a plan to publish the information about the vulnerability and the patches simultaneously.”
While “we would have liked the fix to come out earlier” in the Adobe Reader case, communications between Core Security and Adobe were good throughout the process, which reassured Core’s analysts that a fix was proceeding apace, Arce says.
This isn’t always the rule when security vendors discover flaws in widely distributed commercial software. In an episode we chronicled back in March, Core Security disclosed information about a serious security hole in several programs made by VMware (NYSE: [[ticker:VMW]]), a subsidiary of Hopkinton, MA-based EMC (NYSE: [[ticker:EMC]]), before a patch was ready. Core said its disclosure in that case followed months of delays and unfulfilled promises from VMware engineers that a patch was forthcoming.
“We had good visibility into what was going on at Adobe, so we had some certainty that the fix was actually coming out” this time, says Arce. “We also didn’t perceive any public exploitation of the problem, even though the previous exploit was in the public domain. We have to balance that risk constantly. In this case we managed to publish the information in a coordinated fashion, without any exploitation happening before the patch was issued.”
