The hacker’s favourite attack vector of choice , Adobe has announced that it will issue an emergency patch the week of August 16 to fix a critical flaw in its Reader and Acrobat software.
The flaw was spotted by insecurity expert Charlie Miller and shown off at last month’s Black Hat security conference.
Miller was using the open-source BitBlaze toolkit as a method to boost bug-hunting and has made a bit of a name for himself finding holes in Adobe’s PDF viewer.
According to a paper Miller published after the Black Hat conference, the bug is in Reader’s and Acrobat’s font parsing. It can be used to corrupt memory via a PDF file containing a specially-crafted TrueType font.
Today, Adobe announced it would release a rush security update during the week of August 16-20 instead of October 12.
Normally Adobe issues its quarterly security updates for Reader and Acrobat on Tuesdays so we are expecting to see the out-of-band patch on August 17.
It is looking like Adobe will include fixes for vulnerabilities other than the one Miller uncovered. The company also said it would still ship its next regularly-scheduled quarterly update on October 12.
It has been a bad year for Adobe. It has had to issue several out-of-band updates this year for Reader. There was one in June which bug hackers were already exploiting and it also rushed a Reader fix to customers in February.
It appears to have learnt its lesson. The next version of Adobe Reader 10, which should ship for Windows before the end of the year, is to include “sandboxing” technology to isolate malicious PDF documents.