Adobe has released some updates that you need.


If you haven’t already done so, you really need to update your Adobe Flash Player and especially Adobe Reader.  Adobe released updates for them a few days ago, and as of right now, the Internet Storm Center is reporting that there are malicious pdf files that are taking advantage of the vulnerability in Reader.

The vulnerability in Reader is a JavaScript buffer overflow.  The current versions of the malicious pdf files are undectable by ANY antivirus programs (as per a submission to VirusTotal). The creators modified a PoC (Proof of Concept) that was published concerning the JavaScript vulnerability enough that the antivirus programs miss it. 

So, if you have Adobe Reader on your computer (it doesn’t matter which version) update it. Either run the “Check For Updates” or go to Adobe and download the latest patch for your version.

http://www.adobe.com/support/security/bulletins/apsb08-19.html is the link to the bulletin about Adobe Reader.  I just checked Adobe 9 (even though this says Adobe 8), and it had an update.  So, I recommend doing it regardless of which version you have.

Flash Player update for security vulnerabilities is the link to the bulletin about Adobe Flash.  Even though they are not reporting any worms or malicious Flash files, there’s a good chance that some are out there.  Why take the risk?

Note that these are not just for Windows users.  In the Reader update, there are a couple of Unix issues that are resolved as well. 

I also have to agree with one of the handlers from ISC.  He said that Microsoft is doing the right thing by releasing updates on the Second Tuesday of each month and out of band updates as needed.  And that more vendors should implement this process.

I say the second week of each month should be “Update week”.  The major vendors (Microsoft, Adobe, VMWare, and others) could each pick a day that they will release updates on.  Yes, it’s going to make for a busy week each month for SA’s.  But, wouldn’t it be an even busier week if someone actually got through your network with a vulnerability that wasn’t updated?

What do you think of the idea of “Update week”? And who do you think the major vendors are that should consider it?  Let me know in the comments section.

Have a great day:)

Patrick.

Leave a comment

Your email address will not be published. Required fields are marked *