An unpatched bug in popular PDF viewing and editing applications is much more dangerous than first thought, according to security researchers who have created exploits that sidestep Adobe's defensive recommendations.
Adobe Systems Inc. has known about the vulnerability in its Reader and Acrobat software since mid-January, but will not patch the problem until next Wednesday, March 11.
The bug first made news two weeks ago, when Adobe confirmed the problem and pegged it as critical. Within days, other reports surfaced that in-the-wild attacks have exploited the flaw since early January.
“Under the right circumstances, a Windows Explorer Shell Extension will read the PDF document to provide extra information, and in doing so, it will execute the buggy code and trigger the vulnerability … just like it would when you would explicitly open the document,” Stevens said in a blog post.
Arkin also defended Adobe's patching pace, which has come under fire as being too sluggish. “We were contacted by one of our partners on Jan. 16 when they shared an exploit that they had found in the wild,” he said. “That kicked off our investigation and we began working on a fix immediately.”
Adobe plans to patch Reader and Acrobat 9 next week, and will follow that with fixes for Versions 7 and 8 of both applications on March 18. “We're doing everything we can, and we intend [meet] to those deadlines,” said Arkin.
Adobe has said it will post a notification on its security site when it issues patches next week.