Adobe 0-Day (CVE-2009-4324) Fix To Be Pushed 12th January 2010

Well, what more can I say really, good old Adobe have decided that it’s better to hold off on this patch, then to have people working around the clock to try and get this out asap. I suppose they also need to have some time off, after all it is close to Yule, and well they have been really good at releasing patches in a reasonable timescale this year (cough!).

This is the statement from Adobe, which can be found here.

We posted an update to Security Advisory APSA09-07 that reflects the target ship date of January 12, 2010 for the update to remediate vulnerability CVE-2009-4324. I thought folks might be interested in some of the analysis that went into developing the schedule for the fix, so let me share some of the details in this post.

We evaluated two different options for patching this vulnerability:

  1. Stop everything else and start work immediately on an out-of-cycle security update to resolve this vulnerability with a one-off fix. We made major investments as part of our security initiative earlier this year that allow us to deliver patches more quickly. We estimated that delivering an out-of-cycle update would require somewhere between two and three weeks. Unfortunately, this option would also negatively impact the timing of the next quarterly security update for Adobe Reader and Acrobat scheduled for January 12, 2010.
  2. Roll the fix for vulnerability CVE-2009-4324 into the code branch for the scheduled January 12, 2010 release. The team determined that by putting additional resources over the holidays towards the engineering and testing work required to ship a high confidence fix for this issue with low risk of introducing any new problems, they could deliver the fix as part of the quarterly update on January 12, 2010.

Two important considerations that contributed to our decision to select the second option:

  • JavaScript Blacklist mitigation – This new feature, introduced in Adobe Reader and Acrobat versions 9.2 and 8.1.7, with the quarterly update in October, allows individuals as well as administrators of large enterprise managed desktop environments to easily disable access to individual JavaScript APIs. More details on the JavaScript Blacklist mitigation are available here. The feature design and our testing for this specific vulnerability indicate the JavaScript Blacklist is an effective mitigation against the threat without breaking other workflows that rely on JavaScript or other JavaScript APIs.

  • Customer schedules – The next quarterly security update for Adobe Reader and Acrobat, scheduled for release on January 12, 2010, will address a number of security vulnerabilities that were responsibly disclosed to Adobe. We are eager to get fixes for these issues out to our users on schedule. Many organizations are in the process of preparing for the January 12, 2010 update. The delay an out-of-cycle security update would force on the regularly scheduled quarterly release represents a significant negative. Additionally, an informal poll we conducted indicated that most of the organizations we talked with were in favor of the second option to better align with their schedules.

This is just a brief description of some of the points we considered in our analysis. Ultimately, the decision came down to what we could do to best mitigate threats to our customers, a critical priority to everyone at Adobe – and one we take very seriously.”

I can really see how they are taking this one seriously, as 4 weeks to roll out a critical patch to one of the most widely used applications on the planet really isn’t that bad if you think it, as that’s got to be at least 2 people working on this one. I actually thought that Adobe had more than a couple of developers, but I guess I was wrong.

  • Sandi Hardmeier

    Oh well… at least they are doing something about it, albeit slowly – unlike their refusal to give us an ‘off switch’ to stop Flash malvertisements hijacking our web browsers. They gave us a way to stop clipboard hijacking, why not browser hijacking? Oh hang on, silly me, its because some at Adobe reckon that it is the web site’s fault for accepting the dangerous content in the first place >sigh

  • security war

    good to fix it

    in the last time there are to much bug for adobe

    is not good