Almost a month after admitting there was an easily exploitable buffer overflow in its Reader product, Adobe has finally managed to produce patches for Adobe Reader versions 7 and 8.

Adobe itself has rated this as a critical issue, the highest severity rating they have, but it still took them about three weeks to produce the first patch (Reader 9.1), and exactly a month for its predecessors (8.1.4 and 7.1.1). Users of Adobe Reader on Unix will have to wait another week for an update. Was it really that hard to write a patch for this issue? I find that very hard to believe, since security researchers have published an unofficial patch within a week.

Update: While browsing the Adobe Product Security Incident Response Team Blog, I noticed this banner (click for full screenshot):

movable_type_32

Movable Type 3.2 is about three years old! Shouldn’t they upgrade to, I don’t know, a newer release? Or is this a clever plot to capture scriptkiddies trying to exploit known vulnerabilities in version 3.2, while they are actually running a completely different product?

adobe_psirt_homepage_source