News
Adobe and Apple Address Security Holes
Patches for Adobe Reader, Acrobat; multiple Apple products updated, including OS X, iTunes, and iPhones
Adobe and Apple rolled out security updates on Tuesday on top of Microsoft's lone patch for PowerPoint.
Adobe identified two "critical vulnerabilities" in Adobe Reader 9.1 and Acrobat 9.1, as well as in earlier versions of those applications. The first vulnerability could crash both applications and potentially allow control of a system by an attacker. The second vulnerability only applies to Adobe Reader running on UNIX.
Adobe describes the details in its patch advisory, but the fixes may seem like déjà vu for some IT pros.
"For the second time this year, users have been left holding the bag for security issues in Adobe products," said Andrew Storms, director of security at nCircle. "In February and again in April of this year, enterprises were trying to mitigate threats from zero-day exploits in the popular Adobe PDF products. The PDF document, once viewed as a safer alternative to the Microsoft Word format, has dropped a few rungs in security credibility."
A researcher from SecurityFocus initially had explained that the exploit existed because of how Adobe implemented JavaScript. Storms added that in both the February and April zero-day issues with Adobe, users were instructed to disable JavaScript to help mitigate the threats.
"While this advice seems plausible for the small office, for the enterprise this task is daunting and comes at the price of reduced functionality," he said.
Meanwhile, Apple Inc. got in the spotlight with a massive patch release. Nearly every popular component seems to be on the slate. The patch includes fixes for Mac OS X, iTunes, iPods, iPhones, QuickTime and the Safari browser. (Safari was hacked in less than five minutes at a recent security conference.)
A fair number of the updates are for open source applications bundled with the Mac operating system. Attackers likely have been using public disclosures of vulnerabilities in open source applications for both OS X and the iPhone to find holes in Apple products, according to Storms.
"This is a real wake up call for everyone that has been touting the Mac OS as more secure than Windows," Storms said. "Who would have thought that OS X was so insecure? Now that Apple has let the security cat out of the bag, users are encouraged to update as soon as possible because exploits will be written very quickly."
About the Author
Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.