A critical flaw in Adobe Reader that could be exploited to install malware on users’ PCs will not be fixed for at least four weeks, the company has confirmed.
Adobe conceded that they were aware of a flaw in Abobe Reader and Acrobat, which could see malicious software secretly installed on a fully patched system with either Adobe Reader or Acrobat installed. The flaw affects Adobe Reader and Acrobat 9.2 and earlier versions.
Tests have revealed that ‘Trojan.Pidief.H’ was being detected by antivirus software programmes after a PDF attachment was opened.
But Adobe have resisted releasing a critical update for the flaw, claiming that it would have jeopardised the release of a scheduled update on January 12.
In a blog on the company website, Brad Arkin, Adobe’s director of product security and privacy claimed that after weighing up the options, the flaw was not serious enough to merit a critical update at the potential expense of the quarterly update.
“We made major investments as part of our security initiative earlier this year that allow us to deliver patches more quickly,” he wrote. “We estimated that delivering an out-of-cycle update would require somewhere between two and three weeks. Unfortunately, this option would also negatively impact the timing of the next quarterly security update for Adobe Reader and Acrobat scheduled for January 12, 2010.”
He added: “The next quarterly security update for Adobe Reader and Acrobat, scheduled for release on January 12, 2010, will address a number of security vulnerabilities that were responsibly disclosed to Adobe. We are eager to get fixes for these issues out to our users on schedule. Many organizations are in the process of preparing for the January 12, 2010 update. The delay an out-of-cycle security update would force on the regularly scheduled quarterly release represents a significant negative. Additionally, an informal poll we conducted indicated that most of the organizations we talked with were in favor of the second option to better align with their schedules.”
Customers are advised to ensure that their antivirus software is kept up to date whilst waiting for the Adobe update.