Over the last two months, rumors of an unpatched vulnerability in the Adobe Acrobat products have been circulating. Last Thursday (the 19th), the Shadowserver folks confirmed that there is an exploit in the wild and that they had obtained a sample. A few hours later, Adobe confirmed the issue in their official advisory. McAfee, Symantec, and others have all chimed in saying that they have samples dating back as far as January and even December of last year. Symantec published a response almost a week before the Adobe advisory.

The exploit was detected in the wild, is being actively exploited, and it wasn't until the Shadowserver folks wrote a summary of the issue that Adobe bothered to issue an advisory. With the February 12th coverage date from Symantec, we can only assume that they contacted Adobe as well and provided any sample they had access to. Adobe's official response is that a patch for Adobe Acrobat 9 will be made available on March 11th, but no timeline has been issued for older versions. Compare this Microsoft's response to MS08-078, MS08-067, or even MS06-001 and you can see a clear difference in how these companies respond to real-world attacks against their user base.

Even though Adobe left their users in the dark, the fine folks at Sourcefire wrote an excellent blog post about the vulnerability, how the exploit is triggered, and how to detect it. This level of information is critical for anyone who wants to protect their users and verify their network defenses. Unfortunately, some of the comments on their blog indicate that not everyone understands the reason why this information is necessary.

All security providers, whether they make antivirus, assessment, or intrusion detection products depend on detailed vulnerability information to tune their products, create signatures, and in the end, better protect their users. Regardless of how many resources these providers have, they all depend on public information to some extent. The antivirus companies have an advantage in terms of raw data collection, but they are still using web sites like Milw0rm and tools like Metasploit to make sure their products actually work. The hypocrisy is that while some of these providers share information with the public and even contribute to vulnerability research, many of them are using these resources for product testing while simultaneously damning them in their press and customer alerts.

The strongest case for information disclosure is when the benefit of releasing the information outweighs the possible risks. In this case, like many others, the bad guys already won. Exploits are already being used in the wild and the fact that the rest of the world is just now taking notice doesn't mean that these are new vulnerabilities. At this point, the best strategy is to raise awareness, distribute the relevant information, and apply pressure on the vendor to release a patch.

Adobe has scheduled the patch for March 11th. If you believe that Symantec notified them on February 12th, this is almost a full month from news of a live exploit to a vendor response. If the vendor involved was Microsoft, the press would be tearing them apart right now. What part of "your customers are being exploited" do they not understand?

Again, Sourcefire steps up where the vendor fails. Today, the Sourcefire VRT released a Homebrew Patch to mitigate this issue until Adobe produces the complete fix. Hopefully, the Sourcefire patch, along with the plethora of new AV and IDS signatures, can stand-in until Adobe gets in gear and releases the fix.