Adobe has said in a statement that researchers have not been able to obtain any evidence to indicate that Adobe Reader or other Adobe technologies were used in the Google incident.
Adobe issued a statement on Tuesday, saying it was aware of a computer security incident involving a sophisticated, coordinated attack against corporate network systems managed by Adobe and other companies.
In an update posted yesterday afternoon, Brad Arkin, Adobe's director of product security and privacy, acknowledged the ‘media coverage and headlines indicating that vulnerabilities in Adobe Reader may have been the attack vector in this incident'.
He said: “Just like we always do in the case of reports of security vulnerabilities in an Adobe product, we have been actively tracking down samples or other information regarding potential vulnerabilities in Adobe products related to this incident.
“Similar to the McAfee researchers, we have not been able to obtain any evidence to indicate that Adobe Reader or other Adobe technologies were used as the attack vector in this incident. As far as we are aware there are no publicly known vulnerabilities in the latest versions (9.3 and 8.2) of Adobe Reader and Acrobat that we shipped on January 12, 2010.”
Arkin said that it was a complex incident and the investigation is ongoing, and it will continue to work with partners in the security community and the other firms affected.
“Even though we don't have any information regarding a zero-day vulnerability in an Adobe product, the sophistication of this incident also serves as a reminder to all of us the importance of layers of security to provide the best possible defence against those with malicious intent,” said Arkin.
Wiebke Lips, Adobe's senior manager for corporate communications, reportedly told security blogger Brian Krebs that the Google incident was unrelated to Adobe's security update that day. She said: “It was just a bad coincidence that these came out on the same day (as its patch update).
“We're still investigating this whole issue, as is Google. We had this quarterly update scheduled for the last three months. This was to go out today and we did a pre-announcement a week ago. It just so happened that our announcement went live at the same time as Google's.”
However Lips later told Computer World that it appeared that Adobe was connected to the attack. She said: “We are still in the process of conducting our investigation into the incident. [But] it appears that this incident and the one Google announced earlier are related.
“The investigation into this incident is still ongoing. What we are saying is that the incidents appear to be related given the timing of the discoveries, but until the investigation is completed we won't be able to confirm.”
Graham Cluley, senior technology consultant at Sophos, said: “Speculation is sure to grow in the computer security community that the attackers were using booby trapped PDF files that exploited unpatched zero-day vulnerabilities in Adobe Reader to gain control over corporate computers.”