“Three months after acknowledging multiple vulnerabilities in its popular Reader software and then patching the program, Adobe Systems Inc. yesterday finally provided some details about the bugs.” – Adobe breaks silence on February’s PDF bugs: Flaws’ severity may have prompted silence, researcher speculates, in Computerworld.
The TeleRead take: Go here for downloads to address Reader and Acrobat 7 and 8 problems if you haven’t already.
Question: Do you think open source readers are better or worse from a security perspective than the usual commercial products are? And might Adobe’s security problems be one reason why the IDPF should encourage the creation and development of open-source ePUB readers—whose tires can be kicked from the start, to at least reduce the possibility of surprises later on? I want to see both open source and commercial models (in this case, Adobe’s ePUB-compatible Digital Editions) thrive.
Update, 2:03 p.m.: John Dowell at Adobe offered a helpful, unofficial response to the CW article.
Hi David, I left a comment at Gregg’s piece pretty much as soon as it was published — the comment was printed, thank goodness, but at the bottom of the page, where it was easy to miss.
Adobe Reader 8.x was released pretty quickly. But details of what it fixed were not published until after we had older versions updated too. (Sometimes an intranet will approve minor versions on a shorter cycle than they will major versions, and so we need to go back and update older codebases as well.)
So the answer to Gregg’s implicit question of “Why did it take so long to learn juicy details of badguy practices?” would be something like “To give current users a meaningful chance to update first, and also to take care of people who cannot use the current version.”
Good?
jd/adobe
Big thanks for at least unofficially giving Adobe’s side, John. That’s a helpful response. I’m gong to take the liberty of reproing in full your note to CW. David
Timing of releases
Submitted by John Dowdell on May 7, 2008 – 14:59.
Hi Gregg, I’d defer to members of Adobe’s security team for full details, but usually we don’t provide additional info about the nature of an exploit until all versions are updated.
The Acrobat 8.x series was updated awhile ago, but today the Acrobat 7.x series was also updated, for those intranets which have slow approval cycles for new major versions.
(This practice also gives a significant number of consumers a chance to get protected, before providing background info to security researchers which might incidentally help criminals.)
jd/adobe