Adobe Releases Patch on MS Patch Tuesday

As if IT security teams didn't have enough to worry about today, Adobe released a patch for their high profile zero day vulnerability in Adobe reader and Acrobat.  Patches for versions 7 and 8 of their software aren't available yet.

The story on this exploit started on Feb. 19th when ShadowServer posted information on a "0-date on the loose" and referenced a Symantec AV update from February 12th, indicating that the attack had already been in the wild.

Adding to today's confusion, US-CERT is now recognizing new attack vectors for the Adobe JBIG2 vulnerability.

Throughout this entire process Adobe has been slow to communicate and provide
useful information for security managers.  Even with the onslaught of  critical press and jabs from the security community, Adobe was late to acknowledge the vulnerability and later yet in releasing remediation steps.

Initially they promised a patch by March 11th, so most security teams have been holding their breath and sitting with white knuckles over the last few weeks while the bug received more attention.

Other teams started migration to the alternative, FoxIt.  In a moment of irony, FoxIt was
also found to be vulnerable to same bug.

I joked just this morning that all I needed to ruin my day was for Adobe to release their patch.

Having the patch early is a huge benefit, but releasing it on the same day as Microsoft's planned March patch spells disaster for enterprise resource planning, and it still leaves Adobe with a black eye for lack of communication.

*** This is a Security Bloggers Network syndicated blog from Frames And Bits - The Andrew Storms Blog authored by Andrew Storms. Read the original post at: