April 21, 2011

Adobe shipped updates to its PDF Reader and Acrobat products today to plug a critical security hole that attackers have been exploiting to break into computers. Fixes are available for Mac, Windows and Linux versions of these software titles.

The patch released today addresses two critical flaws. Adobe pushed out a patch for the standalone Flash Player last week, but that same vulnerable component exists in Adobe Reader and Acrobat. Initially, Adobe said it was only aware of attacks on the Flash Player but, in the the latest advisory, it acknowledged the existence of public reports that hackers have been sending out poisoned PDFs that exploit the Flash flaw. Malwaretracker.com, for example, reported that it was receiving reports of malicious PDFs attacking the Flash bug as early as Apr. 17.

The Reader/Acrobat patch also addresses another critical bug (a flaw in the CoolType library of Reader & Acrobat) that could allow attackers to install malicious software. Not much information is public about this vulnerability, except that Poland’s CERT is credited with reporting it. Adobe spokesperson Wiebke Lips said the company was not aware of any exploits in the wild targeting this bug.

The advisory for the latest version is here. Users on Windows and Macintosh can grab the update using the product’s update mechanism. To manually check for an update, open your Reader or Acrobat and choose Help > Check for Updates.


21 thoughts on “Adobe Reader, Acrobat Update Nixes Zero Day

  1. Andrew

    You may wish to clarity – It is my understanding from the security bulletin that there is no update for Adobe Reader X for Windows currently, only for Mac.

    The update for Reader will be available on June 14th…

    1. BrianKrebs Post author

      I thought I did include that. Jeez, must be that I’ve written so many of these stories about Adobe vulnerabilities over the past month that they’re all starting to run together.

      From Adobe’s advisory, which I link to in the post:

      Adobe Reader 9.x users on Windows can also find the appropriate update here:
      http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows.

      Adobe Reader 10.x and 9.x users on Macintosh can also find the appropriate update here:
      http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh.

      Because Adobe Reader X (10.x) Protected Mode would prevent an exploit of this kind from executing, we are planning to address this issue in Adobe Reader X for Windows with the next quarterly security update for Adobe Reader, currently scheduled for June 14, 2011

      1. drzauisapelord

        I love how all the haters on protected mode were wrong. This is the third or fourth exploit protected mode stops. Sandboxing works. I’m the farthest thing from an Adobe fan, but I have to admit they got this right.

        1. Tony Smit

          The sandbox metaphor has one huge flaw :
          Cats use sandboxes for disposal. And then they cover it up.

          Maybe we should terrarium our software.

      2. Michael McNamara

        I agree with you Brian regarding the recent flurry of almost continuous Adobe updates. Adobe has left myself and I’m sure a number of individuals shaking their heads asking how many times to I really need to patch/update Adobe Flash or Adobe Reader in a single month?

        Cheers!

        1. DeborahS

          Oh, please. Why don’t people just accept that Adobe products have become a pisspot for the badguys and just bag it?

          I use FoxIt for PDFs (yeah, sure. There’s a few security exploits out on it also, but they’re not many. Not yet.) And I have Adobe Flash disabled in my browser. If a video on a website I want to watch requires it, I’ll enable it just to watch that video, and disable it again immediately after. I can hardly wait until HTML5 becomes the industry standard for web video.

          (OK, time for the rotten tomato onslaught from all you geeks who think I’m full of it. But have you been hit by malware more often than I have? How many times in the last 10 years?)

          1. DeborahS

            Oh, and I forgot to mention that Adobe themselves signed up for that option when they made it possible to store user data independently of browser cookies. Do you know how many places you have to look in to delete all the data that Flash developers store about you – right on your very own computer? It’s a bad guy’s wet dream, so Adobe – I think you deserve what you’re getting.

          2. Sile

            I’m inclined to agree with you that Adobe products are (for me) nearing that limit of being more trouble than they are worth. However…

            A) They are familiar to the people in the office environment, who are not comfortable with their computers or changes made on behalf of security.

            B) Abandoning ship is great when you know you’re leaping to a safer one. Not so great when that’s just because the ship you’re leaping to just hasn’t been targeted yet. If you have to keep jumping ship, sooner or later the folks from point A dig in their heels against changes, even necessary ones.

            The matter of migrating is proving that the new platform is actually more secure; not that it is just less exploited.

          3. DeborahS

            I’m sorry in advance if it displeases people that I am replying to myself so often, but one more thing that I’ve seen seems to be worth telling.

            If Flash developers can store all that data about you right on their very own computers, that they can access anytime you visit their web resources again, what do you think they are porting directly into their own databases? Don’t you think that they have a database with a set of records that point directly to you, with all the IP addresses you’ve ever had, the email addresses they’ve trapped as belonging to you, the web histories they know you have traveled? Sure, it’s a lot of data for the bad guys to manage and find a way to use, but don’t think that nobody’s doing it.

            My advice? Keep a low profile on the internet. Don’t maintain a public presence, like in a Facebook or MySpace profile. Delete any data they might keep on you on your own computer, and lastly, just hope that nobody really has you down to a “T”. Oh, and maybe – just don’t have anything that anybody would want to steal.

            Does that sound grim? Well, my friends, welcome to the internet age.

          4. andy1

            good grief, the sooner your comments are hidden the better. Anyway, there’s more than just *your* answer to every question about internet security. I’ve found the most helpful comments have been about layered security. No one thing is going to protect you (running unpatched xp and using zonealarm, lol), but paying attention to all of the tools available (no-script, timely updates, alternative browsers, email clients) and being cautious about links and attachments goes a long way.

          5. DeborahS

            @andy1

            Oh, you can vote my comments into oblivion as often as you like, but that will not negate whether what I say is true.

            Letting Adobe Flash have open access to all your software and all your internet travels is just begging for a disaster to happen.

            Sorry mates, it’s just a fact.

      3. Chris

        Thanks, I was coming to ask about Reader X for Windows.

    2. Jonno

      Does Chrome browser get this automatically? and how quickly if it does?

      1. JBV

        Chrome does not automatically update Adobe Reader or Acrobat. If you have either of these installed on your computer, then open the program, click on Help, and then on Check for Updates. If your Adobe program needs updating, this will do it painlessly. (Except for the annoying shortcut that it leaves on your desktop, which you can delete.)

  2. Silver Fox

    Brian,

    Keep up the good work. Your site is a fantastic resourse which I rely on to help me patch 4 Windows PCs I’m responsible for.

  3. Mark Kelly

    Adobe really need to get their act together and do a focus on the importance of information security. Everyone has patch issues to some extent but this feels like an epidemic.

    1. JBV

      On the other hand, it’s nice to see that Adobe is quickly getting out these patches instead of waiting for their regular quarterly updates.

  4. Maggie

    Regularly check Brian’s alerts re updates. Today, downloaded latest Shockwave and Flash Player. Three times, I downloaded the Shockwave.dmg and went through the install process. Rebooted after installations – yet, when checking Plug-In status in the Firefox browser, it kept telling me it is ‘out-of-date.”

    Finally, I checked status via Qualys where all my Adobe updates are absolutely current. Yet Firefox is still saying no. What’s going on here?

  5. DeborahS

    Just came across an excellent article on a drive-by strategy that exploits the CVE-2011-0611 Adobe Flash 0-day (the one that hit RSA):

    http://blog.armorize.com/2011/04/newest-adobe-flash-0-day-used-in-new.html

    In it they discuss how this strategy, which they call drive-by cache, is different from the drive-by downloads identified by Google in 2003, and why 0 out of 42 anti-virus scanners they tested failed to detect it.

    Valuable technical read on the subject, but they issue a warning when you browse to that page that an example of the specific code used in this type of attack is given on the page and may set off some false AV alarms.

    Moral of the story? Browse in a sandbox, use no-script, don’t use Adobe Flash, run in disposable virtual machines? (I can think of some other possibilities, but this is a starter list.)

Comments are closed.