This is worrying the researchers, Mateusz “j00ru” Jurczyk and Gynvael Coldwind. “Unfortunately, sixteen more crashes affecting Windows, OS X, or both systems remain unpatched.” But this is not their main concern. The vulnerabilities were not made public by the researchers, and they “have no evidence these bugs are being exploited today.” Ironically, it is the patched vulnerabilities rather than the unpatched vulnerabilities that are most worrying.
The problem is that attackers can now compare the old versions of Windows or OS/X Reader with the new ones and discover the bugs. “We are concerned,” say the researchers. “that functional exploits can be built without much effort based on knowledge derived from binary diffing of the old and newly patched Windows builds.”
Google published its attitude towards ‘responsible disclosure’ in July 2010. In short, Google believes that vendors should have a 60 day period of grace to fix vulnerabilities before they are made public. This is the chosen balance between allowing solutions to be developed and implemented by the vendors, and effectively colluding in hiding the existence of bugs from the users.
Google informed Adobe that it would be bound by this policy. The sixty days do not expire until 27 August – the same day scheduled for Adobe’s next patch release. However, with no planned out-of-band updates from Adobe, the researchers believe the threat to Linux users is too great to wait and has usurped its own policy. The researchers point out that they discovered the bugs “using conceptually trivial mutation algorithms such as bitflipping.” Given that, they add, “we believe it is very possible that third-parties specializing in bug hunting and vulnerability research may already know of and/or be targeting many of our reported issues.”
For that reason, they have now publicly disclosed the vulnerabilities. Since there are no known workarounds for the unpatched vulnerabilities (including Windows, OS/X and Linux), they advise users not to open any externally received PDF documents and to “disable the Adobe Reader browser extension for the time being.”