Topic: No Acrobat patch for 3 weeks

[Clive]

A security flaw in Adobe's Acrobat Reader software will not be fixed for three weeks, the company has warned.

Adobe warned that the vulnerability affected Acrobat Reader 9 as well as Acrobat 9 and earlier versions of the software as well.

"Adobe expects to make available an update for Adobe Reader 9 and Acrobat 9 by 11 March, 2009," Adobe said in a statement.

"Updates for Adobe Reader 8 and Acrobat 8 will follow soon after, with Adobe Reader 7 and Acrobat 7 updates to follow," the statement continued.

Security experts warned that the flaw could allow a hacker to take control of your PC.

"The risk is that hackers could deliberately construct a malformed PDF file that would trigger the vulnerability, allowing them to open a backdoor and run malicious code on your computer," said Graham Cluley of security firm Sophos.

[Rik]

To think I used to be an ardent Adobe fan. 

[sam]

its bloatwear too!

[Rik]

I know. When I worked for them, they 'felt' a much better company, they were lean, quick to respond, innovative. Now, they seem to have got bogged down in trying to out Microsoft Microsoft, Sam. 

[Simon]

So, are PDF files something to be generally wary of?  I wasn't aware that they could harbour viruses.  What if you use something like Foxit to open them?  Would you be more vulnerable in that case?

[Rik]

You're as vulnerable as Foxit, Simon. It's like any piece of code you download, really, it can harbour nasties.

[sam]

though its easier to hind things in certain types.. and you don't really execute pdfs....

[Rik]

Is that true, Sam? They are based on Postscript and, as such, do run code surely?

[sam]

actually I guess you are right in that sense - I meant its not like you are going to run a pdf like you would some other executable, e.g. if you downloaded a programme of the web then you would expect to install it so when it started running a setup  you wouldn't think anything of it-  if a pdf did, alarm bells should ring.  If that makes sense...

[Rik]

It does. What I was thinking, though, was that a suitably crafted PDF could exploit Acrobat without the user knowing a thing about what was happening.

[Clive]

Wasn't there a huge spate of spam containing .pdf viruses about a year ago? 

[sam]

It does. What I was thinking, though, was that a suitably crafted PDF could exploit Acrobat without the user knowing a thing about what was happening.

true... though there probably aren't that many pdfs out there that are infected - you still have to get it from a dodgy source.

[Rik]

Wasn't there a huge spate of spam containing .pdf viruses about a year ago? 

Yes.