Adobe has confirmed a zero-day remote code execution vulnerability revealed by a security researcher during the Black Hat security conference last week. The company has yet to decide if it needs to break out of its quarterly update cycle in order to patch it.
The Adobe bug was disclosed by renowned hacker and security researcher Charlie Miller during his Black Hat talk on crash analysis techniques. Miller's presentation focused around a tool called BitBlaze, developed at UC Berkeley, which can be used to significantly decrease the time it takes researchers or developers to analyze if crashes are exploitable or not.
The hacker chose several bugs in Adobe Reader and OpenOffice for its case studies. The examples included two exploitable bugs in Adobe Reader 9.2.0, that were discovered last November and are already fixed, a non-exploitable flaw and a zero-day vulnerability in the latest version of the application.
It is this latest zero-day flaw that Adobe representatives who attended Miller's talk were most interested in. The Register reports that the company has since confirmed that the bug is exploitable and can lead to remote code execution.
Work for a patch has already begun, but the company is not sure whether it will deliver it as part of its quarterly update cycle or out of band. There are concerns that the researcher's now public slides (PDF) contains enough information for others to track down the issue and create a working exploit.
"Certainly, there's some information in the slides and screenshots of some of the crash information. As we evaluate what's the right response, we're going to look in and decide is that information sufficient and if so, how long would it take for someone with malicious intent to convert that into an exploit," Brad Arkin, Adobe's director of product security and privacy, commented for The Register.