BugBlog's Bug of the Month
Every month the BugBlog picks its Bug of the Month, representing the most significant bug found in the past month. Sometimes, the bug will be the one which could potentially cause the most damage; sometimes it will be the bug which affects the most users. And sometimes, it will be the bug that is just the most interesting bug. This bug will be selected either from the free Bug of the Day, or from the subscription-only BugBlog Plus.
This month the Bug of the Month goes to Adobe for the problems in Adobe Reader and Adobe Acrobat. The first report was on January 4
There are a number of bugs in the Adobe Acrobat Plug-In for browsers, and in the free Adobe Reader 6 and 7. A malicious website may be able to caryy out cross-site scripting attacks because the browser plug-in doesn't correctly validate URI parameters. There's no official word from Adobe, although US CERT says that it appears the bugs were fixed in Adobe Reader 8. Read their report at http://www.kb.cert.org/vuls/id/815960. Stefano Di Paola, Giorgio Fedon, and Elia Florio are credited with finding these bugs. UPDATE: Adobe now has a bulletin at http://www.adobe.com/support/security/advisories/apsa07-01.html.
The reason for the update in that bug report was that Adobe didn't have a bulletin online when the US CERT report (and BugBlog item) was first reported. The next BugBlog item came on January 10:
Adobe now has a patch for the security problems in Adobe Reader and Acrobat 7.0.8 and earlier versions. The bugs, which were in the 1/4 BugBlog, may allow both cross-site scripting attacks and the ability of the attackers to take over the victim's computer. Adobe's earlier advice was to upgrade to the Adobe Reader 8. They now have a patch that will fix version 7.0.8 of the Reader as well as Acrobat Elements, Standard, and Professional. (Good news for those latter users, since the upgrade from 7.0.8 to 8.0 will normally not be free.) Get the patch at http://www.adobe.com/support/security/bulletins/apsb07-01.html.
Why this bug? First, because of the wide-spread use of Adobe Acrobat. Just about everyone has either the Adobe plug-in for their browser or the Adobe Reader software installed. The Adobe Acrobat software, either Elements, Standard or Professional, is not as universal, but still has a rather large installed base. Thus, the bug affects lots of users.
Second, this points out that PDF documents can cause problems, which is unfortunate because at this time many people may be suggesting PDFs as a replacement strategy for exchanging documents. The reason you may need a replacement strategy is that there are currently four unpatched zero-day bugs affecting Microsoft Word (see the January Bug of the Month for coverage of this), and you may have reason to be a little paranoid about Word docs that show up as email attachments. While you may wish to suggest PDFs as a replacement, you cannot suggest that they themselves never have security problems.
Previous Bugs of the Month
January 2007: Microsoft Word Zero-Day Vulnerabilities
December 2006: MIcrosoft XML ActiveX Control Bug
November 2006: Microsoft ActiveX Bug
October 2006: Microsoft VML Bug
September 2006: Sony Batteries
August 2006: Microsoft Windows Genuine Advantage
July 2006: Yahoo! Mail
June 2006: Symantec Enterprise AV
May 2006: Microsoft Wins Special Lifetime Achievement Bug Award
April 2006: Adobe Macromedia Flash Player
March 2006: Microsoft Windows Media Player
Feb 2006: Apple QuickTime
Jan 2006: Microsoft WMF Bug
Dec 2005: Sony's Secret DRM Scheme Leaves Users Exposed
November 2005: Four Separate Bugs Leave Windows Open to Takeover
October 2005: Acrobat Screws Up MS Word
September 2005: Apple Security Update Breaks 64-bit Apps
August 2005: Cisco IOS Vulnerable to IPv6 bug
July 2005: RealNetworks Fixes Four Bugs in Their Media Player
June 2005: Flawed Rollout for Netscape 8
May 2005: TCP/IP Fix for Windows
April 2005: Denial of Service against Symantec Norton AntiVirus
March 2005: IDN Spoofing Bug
February 2005: Windows Animated Cursor Bug
January 2005: Windows Firewall Problems with Dial-up connections
The Bug of the Month is also posted at Blogcritics.org
Copyright 2003-2007 BJK Research LLC