BJK Research

BugBlog's Bug of the Month

Every month the BugBlog picks its Bug of the Month, representing the most significant bug found in the past month. Sometimes, the bug will be the one which could potentially cause the most damage; sometimes it will be the bug which affects the most users. And sometimes, it will be the bug that is just the most interesting bug. This bug will be selected either from the free Bug of the Day, or from the subscription-only BugBlog Plus.

This month the Bug of the Month goes to Adobe for the problems in Adobe Reader and Adobe Acrobat. The first report was on January 4

There are a number of bugs in the Adobe Acrobat Plug-In for browsers, and in the free Adobe Reader 6 and 7. A malicious website may be able to caryy out cross-site scripting attacks because the browser plug-in doesn't correctly validate URI parameters. There's no official word from Adobe, although US CERT says that it appears the bugs were fixed in Adobe Reader 8. Read their report at http://www.kb.cert.org/vuls/id/815960. Stefano Di Paola, Giorgio Fedon, and Elia Florio are credited with finding these bugs. UPDATE: Adobe now has a bulletin at http://www.adobe.com/support/security/advisories/apsa07-01.html.

The reason for the update in that bug report was that Adobe didn't have a bulletin online when the US CERT report (and BugBlog item) was first reported. The next BugBlog item came on January 10:

Adobe now has a patch for the security problems in Adobe Reader and Acrobat 7.0.8 and earlier versions. The bugs, which were in the 1/4 BugBlog, may allow both cross-site scripting attacks and the ability of the attackers to take over the victim's computer. Adobe's earlier advice was to upgrade to the Adobe Reader 8. They now have a patch that will fix version 7.0.8 of the Reader as well as Acrobat Elements, Standard, and Professional. (Good news for those latter users, since the upgrade from 7.0.8 to 8.0 will normally not be free.) Get the patch at http://www.adobe.com/support/security/bulletins/apsb07-01.html.

Why this bug? First, because of the wide-spread use of Adobe Acrobat. Just about everyone has either the Adobe plug-in for their browser or the Adobe Reader software installed. The Adobe Acrobat software, either Elements, Standard or Professional, is not as universal, but still has a rather large installed base. Thus, the bug affects lots of users.

Second, this points out that PDF documents can cause problems, which is unfortunate because at this time many people may be suggesting PDFs as a replacement strategy for exchanging documents. The reason you may need a replacement strategy is that there are currently four unpatched zero-day bugs affecting Microsoft Word (see the January Bug of the Month for coverage of this), and you may have reason to be a little paranoid about Word docs that show up as email attachments. While you may wish to suggest PDFs as a replacement, you cannot suggest that they themselves never have security problems.

Previous Bugs of the Month

January 2007: Microsoft Word Zero-Day Vulnerabilities

December 2006: MIcrosoft XML ActiveX Control Bug

November 2006: Microsoft ActiveX Bug

October 2006: Microsoft VML Bug

September 2006: Sony Batteries

August 2006: Microsoft Windows Genuine Advantage

July 2006: Yahoo! Mail

June 2006: Symantec Enterprise AV

May 2006: Microsoft Wins Special Lifetime Achievement Bug Award

April 2006: Adobe Macromedia Flash Player

March 2006: Microsoft Windows Media Player

Feb 2006: Apple QuickTime

Jan 2006: Microsoft WMF Bug

Dec 2005: Sony's Secret DRM Scheme Leaves Users Exposed

November 2005: Four Separate Bugs Leave Windows Open to Takeover

October 2005: Acrobat Screws Up MS Word

September 2005: Apple Security Update Breaks 64-bit Apps

August 2005: Cisco IOS Vulnerable to IPv6 bug

July 2005: RealNetworks Fixes Four Bugs in Their Media Player

June 2005: Flawed Rollout for Netscape 8

May 2005: TCP/IP Fix for Windows

April 2005: Denial of Service against Symantec Norton AntiVirus

March 2005: IDN Spoofing Bug

February 2005: Windows Animated Cursor Bug

January 2005: Windows Firewall Problems with Dial-up connections

The Bug of the Month is also posted at Blogcritics.org

 

 

 

Copyright 2003-2007 BJK Research LLC

BugBlog archives:

March 07
Vista Special Report
February 07
January 2007
December 06
November 06
October 06
September 06
August 06
July 06
June 06
May 06
April 06
March 06
February 06
January 06

See the sitemap for 2003-2005 archives.