Adobe Systems Inc. has issued a statement that some of its software programs contain flaws without current fixes that could render Adobe users’ computers vulnerable to attack by hackers.
A notice posted on Adobe’s Web site indicates that Adobe had unknowingly incorporated vulnerabilities into versions of its Adobe Reader and Acrobat software that could allow malicious software programs to be loaded onto an individual user’s PC without the user's knowledge. Malicious software, or malware programs, can direct a PC to send out uncontrolled quantities of spam e-mails, hack and steal confidential data and even run programs to infiltrate government Web sites to hack into government computer systems and servers, all while using the user’s registered IP address.
Thus far, Adobe says that the vulnerabilities have only been found in PCs that run Microsoft’s Windows XP and Web browser Internet Explorer 7. Adobe did not indicate how many PCs it believes have been affected so far, but said that the software patch to fix the vulnerability may not be completed until the end of October. Security experts are very concerned about the Adobe vulnerability, since there is no known patch yet and the hackers have been notified that they can still exploit the malware for their benefit until the patch is released. Adobe disclosed "critical problems" in versions of three design programs, GoLive, Illustrator and Pagemaker and simultaneously released programming software to repair the problems.
Some security experts were critical of Adobe going public with its vulnerabilities without having a software patch ready for release, and indicated that users should press Adobe for release of a patch much sooner than the end of October. Adobe’s director of security solutions and strategy indicated that since the vulnerabilities had earlier been leaked on October 5th on the U.K. security Web site, www.heise-security.co.uk, Adobe had no choice but to announce the vulnerabilities, while at the same time post programming instructions on the Adobe Web site to work around the vulnerabilities (www.adobe.com/support/security/).
Adobe did admit, however, that the instructions are directed at network administrators who run corporate networks, not at individual consumers.
Read more here.