Tim Rains, Director, Product Management at Microsoft recently published an article detailing the key findings of the Microsoft Security Intelligence Report Volume 8 on document file format exploits where Acrobat and Reader were explicitly called out. Quoting Tim…
The key things to take away from this study are:
- Once attackers figure out how to exploit a document parser vulnerability, they will try to use that exploit for years to come.
- Newer is better: running the latest version of document parsers and the latest service pack is a very effective mitigation against these types of attacks.
- Keep all of your software up to date including document parsers such as Microsoft Office, Adobe Acrobat, Adobe Reader, and others.
- Use Microsoft Update to keep your Windows based systems up to date, instead of Windows Update. Microsoft Update will help keep all of your Microsoft software updated including Windows operating systems and Microsoft Office, where Windows Update only keeps Windows operating systems up to date.
- If you haven’t updated the document parsers you have installed on your systems, you should give serious consideration to doing so.
- Don’t open email attachments or documents hosted on the Internet if you don’t know and trust their source.
The whole article is really great reading if you’re looking for a solid business case to upgrade sooner rather than later. Leveraging out SCUP catalogs for Acrobat and Reader are a good idea as well.