Adobe has admitted it patched five critical vulnerabilities behind the scenes after it updated its Reader and Acrobat applications earlier this month in order to fix a bug.
According to a security bulletin issued on Tuesday, the updates to Reader 9.1 and Acrobat 9.1 that Adobe delivered on 10 March, included patches for not just one bug - as Adobe indicated at the time - but for five other vulnerabilities as well.
Foremost among the five were a quartet of bugs in Adobe's handling of JBIG2 compressed images, which was also at the root of the original vulnerability made public in February. When Adobe updated Reader and Acrobat to Version 9.1 two weeks ago, it fixed all five JBIG2 flaws, though it admitted only to the one at the time.
That bug has been used by hackers since at least early January, when they began sending malformed PDF files to users as email attachments.
"The way we always handle this," said Brad Arkin, Adobe's director of product security and privacy, "is, will publicly released information help more users than not releasing the information?" Adobe, said Arkin, decided the answer was "no," since it had yet to issue updates for all users when it first patched the software on 10 March.
The decision was prompted by the staggered release of the Reader and Acrobat updates. Although Adobe patched the Windows and Mac OS X editions of the two apps on 10 March, it offered updates to the version 8 line on 17 March, and didn't issue Reader 9.1 and Acrobat 9.1 for Unix until Tuesday. It also didn't produce a fix for the even-older Version 7 until Tuesday.
"With this JBIG security incident, we wanted to patch as soon as possible," said Arkin, "and staggering the updates like we did was going to get the patches to the biggest demographic as soon as possible." More users run Version 9 on Windows and Mac than any other edition of Reader and Acrobat, Arkin added.