Adobe has patched "a number of ... security vulnerabilities" in its free Adobe Reader software, but refused to provide details of the bugs it found and fixed.
Adobe Reader 8.1.2 addresses 27 items, most of which appeared to be usability problems, with a few stability issues thrown in for good measure. None of the 27 fixes listed in the 8.1.2 Release Notes called out a security vulnerability.
The lack of information about the purported bugs patched in 8.1.2 surprised some security researchers. "Curiously, no further details are available about the security update, which is not the norm for Adobe," said Thomas Kristensen, the chief technology officer at vulnerability tracker Secunia.
Adobe was much more verbose in its explanations the last time it updated Reader. In October 2007, for example, when it patched Reader for a vulnerability that exposed most Windows XP users to exploits in malicious PDF files, the company published a support document that described the fixes in considerable detail and labelled the single security vulnerability as such.
However, Andrew Storms, director of security operations at nCircle, didn't see the move as a change. "My first thought is that it's no big deal," said Storms. "Vendors like Adobe have no historically standardised way of presenting information, which is in great contrast with Microsoft, which is very rigid about what and how it presents information.
"From Microsoft, we know what to expect each month," Storms said. "And Oracle is another [vendor] that has done a great service for the industry by standardising. But Adobe has not done that." The differences between October and today, he continued, might be attributable to something as mundane as someone different at Adobe writing up the bulletin.
According to Secunia, there is only one outstanding vulnerability in Reader that has not yet been patched - an information-disclosure bug that harks back to early March 2007. None of the more than two-dozen problems acknowledged by Adobe, however, match the description of the unpatched bug.
Adobe did not responds to questions about the information it has posted - and not posted - around the release of Reader 8.1.2.
The new version, which can be downloaded from the Adobe website or retrieved using the updater bundled with Reader, targets Windows 2000, Windows XP, Windows Vista, Windows Server 2003, and Mac OS X 10.4.3 and later.
For more PC security news, reviews and tutorials, see Security Advisor