A few days ago, we wrote about a zero-day Adobe Acrobat and Reader flaw, for which active exploits have been seen in the wild. Adobe has announced that they will patch this flaw with their next quarterly update, due to be issued on January 12. Why will it take them so long?
Computerworld looks at the question and talks to Brad Arkin, Adobe’s director for product security and privacy. Adobe, it seems, doesn’t have the manpower to push out a patch more quickly, and is worried about disturbing its quarterly patch cycle, the next release of which is due on January 12. Arkin gives all types of reasons why he thinks this is a good idea, but for users, its certainly not a good idea. It leaves tens of millions of computer users vulnerable to a vulnerability that is being exploited (though only on Windows computers for now) for nearly a month.
We’ll repeat our oft-cited recommendation: skip using Acrobat or Reader unless you really need to: Apple’s Preview does most of what you need with PDFs, unless you’re creating complex documents. If you must use the Adobe software, turn off Javascript: in Adobe Reader or Acrobat, choose Preferences > Javascript, then uncheck Enable Acrobat Javascript.