Escalating attacks exploiting PDF files have prompted Microsoft to issue an all-hands-on-deck call to fix a vulnerability that lurks in the bowels of Windows XP

_uacct = “UA-1416026-2″;urchinTracker(); _uacct = “UA-1416026-1″;urchinTracker();Escalating attacks exploiting PDF files have prompted Microsoft to issue an all-hands-on-deck call to fix a vulnerability that lurks in the bowels of Windows XP

Ok, this is a bit of justification for us here at Adobe, Now please, I am not Microsoft bashing here, but, The boys in Redmond, took the high road on this threat vector and blamed us, along with any other company that creates PDF’s saying it was our problem.


_uacct = “UA-1416026-2″;urchinTracker(); _uacct = “UA-1416026-1″;urchinTracker();Bill Sisk, a member of Microsoft’s security response team wrote in a blog post Thursday. “Because ShellExecute is a core part of Windows, our development and testing teams are taking extra care to minimize application compatibility issues.”For example: The vulnerability allowed a malicious PDF file to turn your PC into a zombie, so, after three months of sloughing off the problem to third parties Microsoft is now scrambling to fix it. It may take another two weeks or more to get a patch.Microsoft isn’t due to issue another patch batch until November 13.The urgency and transparency Microsoft is showing is commendable. But let’s not forget that for more than three months, Redmond’s security pros maintained that weaknesses resulting when third-party applications passed malicious uniform resource identifiers (URIs) to Internet Explorer was “not a vulnerability in a Microsoft product.” As such, Redmond maintained, responsibility for plugging the hole lay elsewhere.Two weeks ago, Microsoft, reversed itself on this position, admitting for the first time that the URI-handling weakness was an issue that had to be addressed by Microsoft. The change of heart came as it became increasingly clear that the URI-handling weakness was doomed to repeat itself over and over on countless third-party apps. As Bill Sisk put it, “…these third party updates do not resolve the vulnerability – they just close an attack vector.” “In the meantime, users should take extra care when receiving email attachments, even when delivered from known sources, and when visiting familiar or unknown websites”, Sisk said. Notice here that Sisk said all e-Mail attachments, because, this threat can attach itself to almost any attachment!By the way, Sisk didn’t mention updates we, Adobe, have issued here for Reader or here for Acrobat, but installing them immediately is critical to keeping you safe.Ok, man that was a bit heavy for a Tuesday morning, but, it is very important stuff. Keep some life in your life and watch out for the boogie man!Tim