Well, I’ve still had no information about updates to address the recent Acrobat vulnerability/exploits to either of the addresses I subscribed to Adobe's Security Notification Service. However, the RSS feed here does work.

Which is how I know that Acrobat Reader 9.1 and 8.1.4 for Unix were released yesterday, right on time. As expected, these address the JBIG2 vulnerability from Security Advisory APSA09-01 and Security Bulletin APSB09-03, which is known to have been exploited by targeted malware.

Happily, Adobe has now advised that some other vulnerabilities we've been hearing about  have also been addressed in these and the other updates we've mentioned previously. Several other JBIG2 issues described by Adobe as critical have now been publicly acknowledged by the company, and  a new security bulletin update suggests that discrepancies in patch levels between different versions from 7.x to 9.x have now been regularized.

In an article for Computer World, Gregg Keizer notes some disquiet with Adobe's secretiveness over the scope of these patches. It doesn't seem to me that Adobe acted inappropriately in communicating only the vulnerability for which there was a known workaround until a patch was available, as they had no grounds to suspect that there were exploits for those vulnerabilities in the wild.

I'm also pleased to note that 7.1.1 did eventually find its way onto the updates page. However, the staggered update schedule does seem to have confused some of our readers, and I'd advise that if you're in any doubt as to whether you have the latest version appropriate to your system, that you go back to http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows and re-check.

You may remember that we've advised you to disable JavaScript in Acrobat unless you have a definite need for it, and that I noted that it is still enabled by default in the updated versions (at least, those I have access to).

It's actually a little more annoying than that. I now find that every time I open a PDF on this system, Acrobat informs me that JavaScript is enabled in the document (even when I've just created it on a system with JS disabled), and prompts me to re-enable it in the application. While there may be no significant danger in re-enabling it right now, that may not always be so, and in any case I'd prefer it if Adobe would be a little less insistent.

David Harley
Director of Malware Intelligence