There isn’t really a standard definition of what constitutes a “Critical” vulnerability in an application, but I think it can generally be agreed that when something is given that label, there’s a pretty serious problem that needs to be fixed ASAP.  So, when Adobe announced not only the existence of a <a href=’http://www.adobe.com/support/security/advisories/apsa09-01.html’>Critical Vulnerability</a> in its flagship Reader and Acrobat products but also that the flaw was already being exploited in the wild, a quick patch job would be expected.

The vulnerability in the Adobe software deals with a buffer overflow (seriously – how can we STILL be dealing with these???) flaw that seems to deal with how Acrobat deals with JavaScript (or at least, the exploits found in the wild use JavaScript), although the security bulletin is light on details.  The bug was disclosed on February 19th, and a patch was released on March 10th.  That’s not really an impressive turnaround time, especially for a remote code execution vulnerability.

Adobe’s patch release is interesting, though, in the fact that the update is, as of today, still only available for version 9 of both Reader and Acrobat, and then only on Windows.  A patch is forthcoming for versions 7 and 8, which are also affected by the same vulnerability, with Adobe claiming March 18th as a release date, as well as a stunningly far off release date of March 25th for Acrobat 9 on Unix.

I can imagine some reasons why patching an older version of the application may take a little longer…older versions of a product typically have a wider install base and are more sensitive to changes that may affect things like existing business processes and behavior of deployed plug-ins.  But, the sluggishness in response time seems to be directly correlated to how much money Adobe stands to make or lose by patching each respective version.  Why is this fix taking so much longer to apply to older and lesser-used versions of Acrobat?

I doubt that Adobe overhauled the relevant code that much during the development of Acrobat/Reader 9, as the flaw is exploited the same way on all versions.  Are there really extra weeks worth of validation tests that have to be executed?  Did all the people that worked on Acrobat 7 + 8 leave the company?  Or, could this just be a combination of cost saving by Adobe and subtle nudging of users towards purchasing upgrades to Acrobat 9, and just a cold shoulder to the smaller Unix market*?  The message being sent here appears, to me, to be that you can only expect updates to be prioritized on the latest and biggest version of Adobe’s products, and support for other releases isn’t nearly as much of a priority.  Whether this is an accurate description of the situation isn’t really important – it is, after all, based on a few substantial assumptions.  In this case, though, perception rules in the absence of an official explanation from Adobe why some of Acrobat takes weeks longer to patch the same problem.

*I don’t have any sales figures for platform-specific versions of Acrobat.  The Unix market being smaller is just my assumption.