author photo
By Bruce Sussman
Thu | Oct 11, 2018 | 7:05 AM PDT

It's taken us a couple of days to do the math.

But PDF-related reader programs have had some major vulnerability updates in the last few days. Which ones do employees use in your organization? 

Adobe PDF and Acrobat security update

On Monday October 1, 2018, Adobe released 86 vulnerability fixes for its Adobe Acrobat and Adobe PDF reader in an update. You can see details here: Adobe Acrobat and Adobe PDF security update.

Many of the vulnerabilities are listed as critical, and they impact everything from arbitrary code execution to privilege escalation.

Foxit reader and Foxit Phantom PDF security update

Adobe's announcement comes just three days after Foxit updated more than 100 vulnerabilities in its Foxit reader and Foxit Phantom PDF programs. 

Vulnerabilities range from remote code execution to remote admin authentication bypass vulnerability, which could be exploited by attackers to disclose information. See the Foxit security update here.

Security patches and updates: a sign bug bounty programs are working

It's more common than ever now for companies to give credit to the white hat hackers who submit the security vulnerability—and the bug bounty programs those hackers are working through.

And in both of these cases, over and over again, you'll see Trend Micro's Zero Day Initiative listed as the source of the vulnerability research.

I recently spoke with Brian Gorenc, who is the Director of Vulnerability Research with Trend Micro and leads the Zero Day Initiative (ZDI) bug bounty program.

He was recently presenting at SecureWorld St. Louis.

And this is proof, he says, that bug bounty programs are working:

"The impact is significant, if you think about it. Every patch that is coming out, especially when it comes to enterprise software and operating systems, it is being fed by bug bounty programs," Gorenc says.

"The community is coming together to make sure the vendors are actually releasing patches for these bugs, and as a result the attack surface shifts and changes. We see that in the way people are using exploits in the wild because they have to go after different things because the old vulnerabilities are no longer there for them to take advantage of."

And because of these two PDF reader updates, there will soon be nearly 200 vulnerabilities that are no longer available for hackers to exploit.

Bug bounty programs, and the researchers who participate in them, are clearly making a difference in cybersecurity.

Comments