Adobe admitted it has patched five critical vulnerabilities behind the scenes after it updated its Reader and Acrobat applications earlier this month in order to fix a bug.
According to a security bulletin issued Tuesday, the updates to Reader 9.1 and Acrobat 9.1 that Adobe delivered on 10 March, included patches for not just one bug - as Adobe indicated at the time - but for five other vulnerabilities as well.
Foremost among the five were a quartet of bugs in Adobe's handling of JBIG2 compressed images, which was also at the root of the original vulnerability made public in February. When Adobe updated Reader and Acrobat to Version 9.1 two weeks ago, it fixed all five JBIG2 flaws, though it admitted only to the one at the time.
That bug has been used by hackers since at least early January, when they began sending malformed PDF files to users as email attachments.
"The way we always handle this," said Brad Arkin, Adobe's director of product security and privacy, "is, will publicly released information help more users than not releasing the information?" Adobe, said Arkin, decided the answer was "no," since it had yet to issue updates for all users when it first patched the software on 10 March.
The decision was prompted by the staggered release of the Reader and Acrobat updates. Although Adobe patched the Windows and Mac OS X editions of the two apps on 10 March, it offered updates to the version 8 line on 17 March, and didn't issue Reader 9.1 and Acrobat 9.1 for Unix until Tuesday. It also didn't produce a fix for the even-older Version 7 until Tuesday.
"With this JBIG security incident, we wanted to patch as soon as possible," said Arkin, "and staggering the updates like we did was going to get the patches to the biggest demographic as soon as possible." More users run Version 9 on Windows and Mac than any other edition of Reader and Acrobat, Arkin added.
The four newly revealed JBIG2 vulnerabilities were reported to Adobe after Symantec said it had found a new Reader bug in the wild, said Arkin, but there was enough time before the 10 March update deadline to add fixes for them to Version 9.1.
That matches the schedule spelled out by iDefense Labs, a computer security research arm of VeriSign. In its own bulletin, iDefense said it had notified Adobe of a JBIG2 bug on 24 February, and provided the company with proof-of-concept code a day later.
All four of the already-patched JBIG2 bugs were classified by Adobe as critical, and could "lead to remote code execution," according to the bulletin.
The fifth vulnerability detailed Tuesday was also critical, and had actually been patched in the Unix edition of Reader 8.1.3 and Acrobat 8.1.3 last November. "That had not been ported over to the other platforms, however," said Arkin, referring to the Windows and Mac versions of the software.
One security researcher said that while he agreed with Adobe's call, the company could have done better at communicating about what it was doing. "It does make some sense if you are forced into doing a staggered release," said Andrew Storms, director of security operations at nCircle Network Security. "There's no sense in exposing users any more than necessary. But what gives us the bad taste is how they aren't being upfront about it now," referring to the security bulletin, which doesn't mention the newly revealed bugs in its summary, but tucks them deeper in the document.
Users who have already updated to Reader or Acrobat 9.1 or 8.1.4 - the versions pushed out March 10 and 17, respectively - don't need to take any further action, Adobe's Arkin said, because they're fully patched against all the flaws, including those announced Tuesday.
Links to the Reader and Acrobat updates have been posted on Adobe's site.