Adobe says Acrobat, Reader vulnerable to hacks
BOSTON (Reuters) - Adobe Systems Inc, whose software is used by millions of people to read documents sent over the Internet, said on Wednesday some of its programs contain yet-to-be-fixed flaws that make computers vulnerable to attack.
On October 5, Adobe posted a notice on its Web site that said it had unknowingly incorporated vulnerabilities into versions of Adobe Reader and Acrobat software that could allow malicious programs to get on to a PC without the user's knowledge.
Such malicious software can take control of a machine and steal confidential data, send out tens of thousands of spam e-mails, or infiltrate government computer systems.
Adobe said it believes the flaws only affect computers running Microsoft Corp's Windows XP operating system and Internet Explorer 7 Web browser. Adobe said it was working to rectify the problem but the fix might not be available until the end of October.
Some security experts say that may not be soon enough to stop hackers determined to get malicious software past firewalls and other security software programs.
"Users should pressure Adobe to release a patch sooner than that," said Gadi Evron, a security expert at Beyond Security. He has organized three closed-door international conferences on efforts by governments and private companies to fight computer attacks.
Malicious software is a common problem. Recent examples have corrupted eBay Inc's Skype Internet telephone service and Time Warner Inc's AOL instant messaging software. Hackers sometimes hide malicious software inside Microsoft Word documents and photo files, hobbling computers when users open them.
Some security experts said that what makes the Adobe case disturbing is that it came to light before the company had a solution to fix the problem, which means hackers have an opportunity to exploit the situation.
The software maker would have preferred to hold off on notifying the public of the flaws in Acrobat and Reader until the updated software was ready, said John Landwehr, Adobe's director of security solutions and strategy.
Earlier on Tuesday, Adobe disclosed "critical problems" in versions of three design programs, GoLive, Illustrator and Pagemaker, and simultaneously released software to repair the problems.
"That is the standard practice," Landwehr told Reuters. "There is a protocol that is fairly well understood."
But, Landwehr said, in the case of Acrobat and Reader, Adobe had to report the problem before the fix because it was reported on October 5 on security Web site www.heise-security.co.uk. Adobe disclosed it later that day on its own Web site.
Adobe has posted instructions on its Web site for working around the problem, www.adobe.com/support/security/. But Landwehr said the instructions are mainly for administrators who run corporate networks, not consumers.
Adobe said PC users who are unable to program that database to fix it may need to wait until the software itself is fixed. The company said it would notify users on its Web site.
Rival browsers Firefox, www.firefox.com, and Opera, www.opera.com, have not reported any similar problems.
