Adobe's Acrobat flaw caused a stir when it was first announced by researchers Stefano Di Paola and Giorgio Fedon, in large part because Acrobat has seen enormous adoption rates by companies and consumers alike. The flaw let hackers use a technique known as cross-site scripting, in which they blend malicious JavaScript with a link to a PDF file on a Web site to hijack a user's computer.On Tuesday, Adobe released a patch for a security flaw that affects several of its widely used programs, including Acrobat Reader, one of the Web's most popular software
titles. In fact, the flaw affects not only Acrobat Reader, but also Acrobat Standard, Professional, and Elements in versions 7.08 and older. The most recent version of these programs -- version 8.0, which had been released at the time the flaw was discovered -- is immune. In a published statement, Adobe noted that Acrobat 3D was also at risk, but did not state which versions were affected.
The flaw let hackers use a technique known as cross-site scripting, in which they blend malicious JavaScript with a link to a Portable Document Format (PDF) file on a Web site to hijack a user's computer. The problem does not affect PDF documents themselves, and can only be used when someone attempts to retrieve a PDF document by clicking a malicious link, such as one a spammer might embed in unwanted e-mail.
The Fix
Worried users can avoid the problem by upgrading their software to version 8, the most recent release. For users who can't upgrade to version 8, Adobe has released a patch for the affected programs, allowing users to upgrade to version 7.0.9.
Further information on upgrades and patches can be found on Adobe's Web site, or simply by using the auto-update features in Adobe's software.
Adobe also offered Web designers guidance on avoiding cross-site scripting attacks that involve PDFs by changing the way they deliver those files on their Web sites.
A Victim of Success
Adobe's mishap caused a stir when it was first announced by researchers Stefano Di Paola and Giorgio Fedon, in large part because Adobe's software has seen enormous adoption rates by companies and consumers alike.
Adobe's system for making, reading, and sending PDF documents -- in which the same document can be read by Windows, Mac, and Unix machines -- neatly solved one of the Web's more complex data-sharing conundrums.
But any software that's widely used by consumers and knowledge workers can be widely attacked by hackers, too, no matter what developer creates it.
"The more prevalent the software is, the more important the threat is for you within your organization to handle," said Khalid Kark, an analyst at Forrester Research. Kark noted that as software gets more popular, its "footprint for risk" grows in tandem.
Fast Turnaround
But Adobe patched the problem in roughly a week -- a fast response by nearly any yardstick. In fact, researchers who find security holes often give companies a full month to patch them before releasing their findings to the public.
"That's kind of the unsaid rule," said Kark. "If you give them a few weeks or at most a month, that should be more than sufficient to figure out what needs to get done and come out with a patch."
There are, of course, those who give companies little notice at all -- a problem that's growing, according to Kark. And there's always the phalanx of hackers who consider advance notice a courtesy that's quickly disposed of. The result? As companies work harder to protect their software, more and more could be forced to match Adobe's response time.
No comments:
Post a Comment