08
Sep 10

Attackers Exploiting New Acrobat/Reader Flaw

facebooktwittergoogle_plusredditpinterestlinkedinmail

Adobe warned today that hackers appear to be exploiting a previously unknown security hole in its PDF Reader and Acrobat programs.

In an advisory published Wednesday, Adobe said a critical vulnerability exists in Acrobat and Reader versions 9.3.4 and earlier, and that there are reports that this critical vulnerability is being actively exploited in the wild. The company says its in the process of evaluating the schedule for an update to plug the security hole.

Meanwhile, an evil PDF file going around that leverages the new exploit currently is detected only by about 25 percent of the anti-virus programs out there (the Virustotal scan results from today are here, and yes it’s a safe PDF).

Adobe’s advisory doesn’t discuss possible mitigating factors, although turning off Javascript in Reader is always a good first step. Acrobat JavaScript can be disabled using the Preferences menu (Edit -> Preferences -> JavaScript and un-check Enable Acrobat JavaScript).

Better yet, consider using an alternative PDF reader that isn’t quite so heavily targeted as Adobe’s, such as Foxit, Sumatra, or Nitro PDF.

Tags: , , , , ,

26 comments

  1. Seems to me like you recommended disabling Javascript in Reader a long time ago.

    It’s unchecked on my computer, and I won’t miss it until it’s time to do taxes (IRS uses it in forms). When I opened a saved old tax return, a warning appeared saying Javascript has been disabled and that “Enabling Javascript can lead to potential security issues.” The warning is provided by Adobe:

    http://kb2.adobe.com/cps/504/cpsid_50432.html

  2. Any ideas on how this might affect Chrome’s built-in PDF reader?

    • On my computer (Windows 7 + Chrome + Adobe Reader installed), Chrome will open a PDF file in its browser, but downloads that file to Adobe Reader. Very confusing, and probably not safe.

  3. Hi, Seems like Adobe & Acrobat are constantly getting targeted and as a Senior & Newbie it is a little difficult to stay one step ahead of the bad guys.
    Installed on my PC are. Adobe Reader 9, Acrobat, Abbyy Fine Reader 6.0, Windows Media Player, Quicktime Player and a Desktop Icon for ITunes Setup. I don’t think that they are ever used. ( I use Secunia to try to keep safe & current.)
    Not to sure where they came from but would love to know if I can live without them or get safer alternates.
    Is it safe to delete them or are other programmes that may be inter-dependent ?.
    Any advice would be appreciated as there is very little local advice available.
    Many thanks.
    P.S. Looks like Foxit would be a good replacement for Adobe.

  4. How about pestering Adobe for stripping out all of the scripting and multimedia garbage out of PDF (which tends to be responsible for the majority of security defects/vulnerabilities) and creating a Secure Document Format instead?

    This would consist of the absolute minimum subset of Postscript needed to accurately represent a document, security/usage information and a digital signature block, and nothing else.

    • They could at least start with three things:

      1. Javascript off by default. Warn to use just like 9.2 does now when its turned off.

      2. Automatically update by default. There’s no use in defaulting to waiting for the user to approve the update. Most don’t care, don’t notice, and never will.

      3. Write your patches so that they’re smaller and in a way that does not require a reboot. Everyone else seems to be able to do this and download a 200meg update to go from 9.1 to 9.2 Pro is ridiculous when the software itself comes in a 300 meg package.

      Sane defaults and a good patch system go a long way towards security.

      • The problem with turning on auto updates by default is that Adobe’s auto update requires the user to have administrative rights. While a user having administrative rights on their home computers is fine it is a nightmare in the buisness environment. We are able to avoid most infections both virus and malware because our users to not have admin rights.

        • Business environments will do updates via GP or other mechanism and will change the defaults. I don’t see this as a problem. As an admin I am almost never using the defaults, which are set for the home market anyway.

        • I don’t agree that it’s “fine” for home users to run as admin ;-)

          • Agreed, but if you try to explain to the average home user about running with administrator rights vs running with standard user rights they get the deer in the headlights look.

          • I always liked Aaron Margosis’ blog on non-admin stuff:

            “why wouldn’t you just want to log on as an admin all the time? Well, if you were a surgeon, would you always want to hold an unsheathed scalpel in your hand? Or would you prefer to keep it in a safe place until you actually need it? Does that metaphor work? How about “running with sharp scissors”? Well, let’s skip the metaphors, then.

            The #1 reason for running as non-admin is to limit your exposure. When you are an admin, every program you run has unlimited access to your computer. If malicious or other “undesirable” code finds its way to one of those programs, it also gains unlimited access.”

            Why you shouldn’t run as admin
            http://blogs.msdn.com/b/aaron_margosis/archive/2004/06/17/157962.aspx

            The easiest way to run as non-admin
            http://blogs.msdn.com/b/aaron_margosis/archive/2004/06/17/158806.aspx

          • Well, they dont need to. The adobe updater can run as a service under SYSTEM credentials like WU does.

  5. Brian, next time you talk to Adobe about their exploitware issues can you ask them when are adobe going to bite the bullet and remove all the features that get pwnd so regularly and then fix the reader thats left?

    Sandboxing bad code really is shutting the barn door after the horse has bolted.

  6. Has anyone else noticed Adobe Reader updates reenabling javascript after it’s been disabled? I’m sure I disabled it months ago on every computer in our company that had Reader, but now it’s enabled again on most of them.

    • That’s never happened to me.

    • If it’s most instead of all, is it possible your users re-anabled it manually?

      • I had used the Adobe Customization Wizard 9 to make a custom installer. I couldn’t find a specific “disable javascript” checkbox in it, but it let me add custom registry keys to be installed, so I added HKCU/Software/Adobe/Acrobat Reader/9.0/JSPrefs/bEnableJS=0. I then installed it on each system, running as the current user.

        My initial assumption upon finding that javascript was still enabled was that it reset its options after the latest update (since it does reset a lot of other unsafe options on update, like displaying pdfs in browser, and reenabling its browser plugins), but maybe it just didn’t apply my change at all, and I hadn’t noticed. Though it doesn’t seem to be a commonly reported problem.

    • Actually I noticed this myself recently. I think one of the .x updates resets settings. 9.1 to 9.2 perhaps. Or 9 to 9.1.

  7. Funny to reference a pdf for the VirusTotal info on a post about exploiting a pdf reader. Even using Foxit Reader, I’ve grown to loathe the PDF format. Just give it to me in straight html or text! :)

    For Foxit users, I’d also recommend turning off JavaScript via Tools, Preferences, JavaScript and uncheck the box “Enable JavaScript Actions”. I don’t use pdf’s much, but have yet to run across a problem viewing any with JavaScript turned off in Foxit.

  8. Sorry I’m late to the party on this one, but this just sounds like the Malware writers are worried about the upcomine Adobe Sandbox. That I believe will really cut down on these sorts of problems. All that other stuff is just a band-aid. Potentially when Adobe does sandbox PDFs it will be more secure than Foxit.

    • Actually, Foxit has a sandboxy-like feature with its secure reader option which is defaulted for PDFs in the browser. Adobe is just dragging its heels and at this point copying Foxit. Although, my understanding is that this will be a true sandbox or at least use Vista/7’s built-in protected mode functionality.

  9. There are eports that that there is an exploit for the latest Adobe Reader zero day that bypasses ASLR+DEP and uses a valid but stolen security certificate. Sophisticated and nasty.

    http://www.infoworld.com/d/security-central/newest-adobe-zero-day-pdf-exploit-bypasses-two-microsoft-defenses-098

  10. Apparently it can bypass ASLR and DEP because Adobe Reader and Acrobat use a DLL that doesn’t use ALSR. Duh!

    You can use EMET 2 to force ASLR and block the exploit. details from Microsoft here:
    http://blogs.technet.com/b/srd/archive/2010/09/10/use-emet-2-0-to-block-the-adobe-0-day-exploit.aspx

  11. Adobe just published an update on this as well:

    “Customers using Adobe Reader or Acrobat 9.3.4 or earlier on Windows can utilize Microsoft’s Enhanced Mitigation Evaluation Toolkit (EMET) to help prevent this vulnerability from being exploited.”

    http://www.adobe.com/support/security/advisories/apsa10-02.html

  12. Scary two page analysis of this Adobe vulnerability over at http://www.theregister.co.uk/2010/09/10/adobe_security_analysis/


Read previous post:
Revisiting Secunia’s Personal Software Inspector

Security vulnerability research firm Secunia has released a public beta of its Personal Software Inspector tool, a program designed to...

Close