Sophos Cloud Optix
Update: The original version of this article listed the vulnerability report as appearing on 2012-02-12 and Adobe’s workaround on 2013-02-13, more than a year later. It was, in fact, the next day: the vulnerability report was dated 2013-02-13. Thanks to Naked Security reader Joerg for spotting the mistake. (Corrected 2013-02-21T08:37Z)
Adobe has released the emergency update for Reader and Acrobat that it promised late last week.
The company decided to get a move on to deal with a newly-reported vulnerability that was actively being exploited, at least on Windows and the Mac.
The timeline has been pretty swift:
- 2013-02-12: Bug reported in a blog post by FireEye. Details scant.
- 2013-02-13: Adobe publishes a security bulletin, including a workaround for Windows users.
- 2013-02-17: (Weekend) Adobe announces patch “next week.”
- 2013-02-20: Patch is released.
The fixes are available for all affected platforms, so Windows, Mac and Linux users should all upgrade.
Adobe rates these updates at a priority of 1 on the Windows and Macintosh platforms, for all supported product versions (9, 10, 11).
That’s because the vulnerability was not just known, but actively being exploited.
On Linux, the rating is 2, which means that vulnerabilities exist in the product, but no exploits are known.
How quickly should you act?
Adobe’s recommendations are to get Ones done in three days, or “as soon as possible,” and Twos within a month, which it describes as “soon.”
If you’re still labouring away under a change control regimen that makes this sort of responsiveness difficult, it’s high time to work at speeding things up.
In this case, Adobe has bust a gut to get its patch done quickly and within the promised timeframe.
You may as well take advantage of Adobe’s new-found velocity!
PS. If you have your Reader or Acrobat installation set to update automatically, it will. But you can fast-forward the update if you want, by using Help | Check for Updates.
There are many irritating things about Adobe. This isn't one of them. Credit where credit is due for their jumping on this so quickly.
What is the EXACT Link for the PATCH?
Looking for latest update…have Adobe reader XI
Above you'll see a bit where I mentioned "Patch is released," which links here:
http://www.adobe.com/support/security/bulletins/a…
That's Adobe's official "this is what it is, and here is where you get it" page, for all supported versions on all supported operating systems. (You actually click through first by OS and then by version number.)
There's a further choice of whether you want to download the full, latest, most up to date version (100MB to 200MB depending on version), or just enough to update from an already-installed earlier version.
Because of the wide range of choices, we link only to the main patch-related page, and let Adobe guide you from there…