[Infowarrior] - Brilliant, Adobe (vuln)

Richard Forno rforno at infowarrior.org
Sat Feb 21 02:13:38 UTC 2009 

This just in from Adobe --- comments follow below.

Release date: February 19, 2009
Vulnerability identifier: APSA09-01
CVE number: CVE-2009-0658

"A critical vulnerability has been identified in Adobe Reader 9 and  
Acrobat 9 and earlier versions. This vulnerability would cause the  
application to crash and could potentially allow an attacker to take  
control of the affected system. There are reports that this issue is  
being exploited.....Adobe is planning to release updates to Adobe  
Reader and Acrobat to resolve the relevant security issue. Adobe  
expects to make available an update for Adobe Reader 9 and Acrobat 9  
by March 11th, 2009. Updates for Adobe Reader 8 and Acrobat 8 will  
follow soon after, with Adobe Reader 7 and Acrobat 7 updates to  
follow. In the meantime, Adobe is in contact with anti-virus vendors,  
including McAfee and Symantec, on this issue in order to ensure the  
security of our mutual customers. A security bulletin will be  
published on http://www.adobe.com/support/security as soon as product  
updates are available.......Adobe categorizes this as a critical  
issue......"

Source:  http://www.adobe.com/support/security/advisories/apsa09-01.html

.... thanks, Adobe.  You tell us there's a CRITICAL "issue" (not  
"problem") facing our systems and data that's being actively  
exploited, and yet  you tell us NOTHING that would help us monitor  
this thing or do something (short of not using Acrobat) to help reduce  
our exposure other than the classic 'update our antivirus products'  
advice.  Then, you tell us we're going to be vulnerable for a few more  
weeks until you fix the problem?

In essence, what you are telling the bad guys is, "you've got a few  
weeks' Window of Exposure to play with, go ahead and have fun with our  
customers!" --- and what you're telling the good guys (and your  
customers) is, "you're at risk, but we're not going to say how or why  
and just trust us to protect you when we're ready and according to our  
schedule.....and if something bad happens to your data, don't blame us  
for it -- remember, you agreed to our EULA terms and conditions."  How  
reassuring.  How vendor-friendly, too.

I suspect nobody will view Adobe's brilliant security advisory as a  
form of "Irresponsible Disclosure" --- which I believe it is --  
especially since saying nothing about a critical security problem can  
be just as (if not more)  irresponsible than saying something at  
all.   Double standards, apply within.

Here we go again.

-rick
infowarrior.org

More information about the Infowarrior mailing list