JD on EP

Fortunately, Joris Evers at CNET does include the "get updated" message, and this is also going into syndication among other magazine sites.

(The core problem I'm hearing in these reports is that the browser's JavaScript can be tricked into operating within another domain, compromising cross-site security. JavaScript still has its sandbox, though.)

uh-oh... the Associated Press is now in syndication, and they also don't mention that using the current version of Reader avoids the problem. They feed into many, many hometown newspapers.

"Representatives from Adobe did not return a call from The Associated Press on Wednesday night." Well, the info was in the original source paper, and if you bothered checking the public record in Adobe blogs....

(Associated Press currently has other issues with professional reporting practices.)

I covered this earlier today and one thing stuck out for me. It was the lack of any response from Adobe in any of the stories or on the company's website. Your response here, while laudable, is inadequate, as you yourself say you don't have insight into all the security issues.

Now AP is running and I can't see how you can accuse them of not getting the story right when your company isn't telling the "correct" story.

Anyone can tell that this is a big issue because it's a don't-click-on-PDFs-they-could-infect-your-computer
urban myth maker if ever there was one.

That's a fair point. What bears on when a member of a group can speak?

I know that the members of the security team try to minimize their own public speech until they are solid-sure that they understand each aspect of a potential security issue. They don't go shooting their mouth off like I often do.

Me, I've been speaking of security stories a lot less than I used to, because I see the work that the security team does in investigating each issue... frequently, the top-level symptom presented is not the actual potential risk, and a valid response would need to first investigate *many* potential scenarios beyond the stated report. My triggerpoint this time was when it hit Slashdot.

To achieve "insight into all the security implications" does take time, which is why a good security response is not a quick kneejerk like I've got here.

AP said they didn't get a response "wednesday night" (presumably US East Coast time), and they usually go through their PR contacts, which need to craft a statement with the security team, but you and I have no idea what the AP reporter actually did.

In this case, prior stories in the press do refer to backchannel communication from "Adobe" (one of those stories mentioned "email response"), and the killer observation is that the original source paper did advise that the problem was already fixed. I'd presume any professional reporter would read all available facts themselves while making the story they sell their audiences, and would not rely merely on skimming the headlines of what other storytellers are saying....

(But you've gained streetcred in my book, Dominic, because you're out and around in the web, responsive and interactive... if we had more professional reporters like this the world would be a better place.)

Update: Jeremy Kirk at ComputerWorld does an actual roundup on this issue, bringing together the different voices.

The final quote is "The only solution is to have Adobe release a patch as soon as possible", which shows the actual effects of mainstream, non-interactive news media.

(If Symantec's blog had comments, then that could help a lot too.)

One other point, off Dominic's post: The Adobe Security Center is updated when the issue is fully addressed, not at time of first public newsbiz reports.

Update: One of Jeremy's links includes a comment from Leonard Rosenthol, on the Adobe Acrobat team, which I'll copy here:

A couple of points on this…

1) This issues ONLY effects the Windows platform. Mac, Linux, etc. users are NOT effected.

2) We found this issue out ourselves during our own security/vulnerability testing of Acrobat and introduced a fix as part of Acrobat/Reader 8 for Windows. As such, users of Acrobat/Reader 8 (regardless of browser) are NOT EFFECTED!

3) We already have patches prepared for earlier versions of Acrobat and will release those as soon as they are ready. This will address those users who are unable/unwilling to upgrade to Acrobat/Reader 8.

We thank the community for their concern in identifying vulnerabilities in our products and hope that our having the issues already addressed in our current versions will serve to alleviate concerns and demonstrate our commitment to this area.

Leonard Rosenthol
Adobe Systems

Two additional issues which we'll need to get into the final documentation are the browser dependencies (not all browsers will cross domains like this when a JavaScript request is passed to them from a plugin), and the actual risks (from what I currently understand, the JS will be executed by the browser as if it's from the PDF's domain, rather than from the requesting domain, leading to risks such as cookie snooping and session snooping).

John, Even as of a few minutes ago when I went to Adobe.com and then the Press area, I see nothing about this topic. That path (home > Press) is what 90% of reporters are going to take.

Wire service and other MSM reporters can't be expected to spend time seeking out information on the Adobe site or in blogs.

They can't be expected to rely on something someone from the company may or may not have said to some other media outlet or a blogger. Strictly for accuracy reasons, they need it first-hand, either in an interview with a company spokesperson, a company press release, website posting or even a pointer to this post.

I was a reporter, and that's what I would have required.

I see this sort of breakdown in PR a lot these days. Bloggers blame the reporters for not reading blogs and doing their homework, but often bloggers don't understand the realities of a newsroom environment.

Thanks to your work here, I understand that there's some information available from the company in various places, but someone has to help the reporters find this post.

It's NOT just Adobe that's not doing online media relations well, it's almost every company I see. Most PR departments just aren't set up to stick-handle issues on the Web as they arise. But it's something they have to start doing.

Hi Dom, the websites (localized into many languages) usually hold permanent materials, rather than temporary materials. Press releases aren't usually executed in response to quick news articles.

In this case, since the original report came from weblogs, and because the AP quotes certain weblogs, we know their reporter is already working from weblogs. Working a little more thoroughly, and linking to their source info, would be helpful.

But you've got a great point about "helping reporters find this info"... let me walk across to the next building, to my friends in PR, and point out your comments here, see if we can use this as a nudge to improve things in new ways....

jd

Scott Fulton at BetaNews covers the story more thoroughly, with this twist at the end:

But US-CERT also acknowledges that Adobe has addressed the problem and may have already completely solved it, not with a simple patch but with a complete solution: Adobe Acrobat 8.0, released last September...just before all the brouhaha over Acrobat 7 started. US-CERT also says it has performed limited testing on Acrobat 8, and sees no evidence of the OpenParameters flaw in that version.

So once again, users may find themselves asking which is the more dangerous exploit: the original flaw, or the subsequent headlines?

Hi,

might be a bit off topic, but I very much dislike that Adobe Reader has JavaScript capabilities. If not already happened, I recommend to turn them off.

Pat