September 8, 2010

Adobe warned today that hackers appear to be exploiting a previously unknown security hole in its PDF Reader and Acrobat programs.

In an advisory published Wednesday, Adobe said a critical vulnerability exists in Acrobat and Reader versions 9.3.4 and earlier, and that there are reports that this critical vulnerability is being actively exploited in the wild. The company says its in the process of evaluating the schedule for an update to plug the security hole.

Meanwhile, an evil PDF file going around that leverages the new exploit currently is detected only by about 25 percent of the anti-virus programs out there (the Virustotal scan results from today are here, and yes it’s a safe PDF).

Adobe’s advisory doesn’t discuss possible mitigating factors, although turning off Javascript in Reader is always a good first step. Acrobat JavaScript can be disabled using the Preferences menu (Edit -> Preferences -> JavaScript and un-check Enable Acrobat JavaScript).

Better yet, consider using an alternative PDF reader that isn’t quite so heavily targeted as Adobe’s, such as Foxit, Sumatra, or Nitro PDF.

26 thoughts on “Attackers Exploiting New Acrobat/Reader Flaw

  1. JBV

    Seems to me like you recommended disabling Javascript in Reader a long time ago.

    It’s unchecked on my computer, and I won’t miss it until it’s time to do taxes (IRS uses it in forms). When I opened a saved old tax return, a warning appeared saying Javascript has been disabled and that “Enabling Javascript can lead to potential security issues.” The warning is provided by Adobe:

  2. TekFan

    Any ideas on how this might affect Chrome’s built-in PDF reader?

    1. JBV

      On my computer (Windows 7 + Chrome + Adobe Reader installed), Chrome will open a PDF file in its browser, but downloads that file to Adobe Reader. Very confusing, and probably not safe.

  3. BaldEagle

    Hi, Seems like Adobe & Acrobat are constantly getting targeted and as a Senior & Newbie it is a little difficult to stay one step ahead of the bad guys.
    Installed on my PC are. Adobe Reader 9, Acrobat, Abbyy Fine Reader 6.0, Windows Media Player, Quicktime Player and a Desktop Icon for ITunes Setup. I don’t think that they are ever used. ( I use Secunia to try to keep safe & current.)
    Not to sure where they came from but would love to know if I can live without them or get safer alternates.
    Is it safe to delete them or are other programmes that may be inter-dependent ?.
    Any advice would be appreciated as there is very little local advice available.
    Many thanks.
    P.S. Looks like Foxit would be a good replacement for Adobe.

  4. eCurmudgeon

    How about pestering Adobe for stripping out all of the scripting and multimedia garbage out of PDF (which tends to be responsible for the majority of security defects/vulnerabilities) and creating a Secure Document Format instead?

    This would consist of the absolute minimum subset of Postscript needed to accurately represent a document, security/usage information and a digital signature block, and nothing else.

    1. drzaiuschimplord

      They could at least start with three things:

      1. Javascript off by default. Warn to use just like 9.2 does now when its turned off.

      2. Automatically update by default. There’s no use in defaulting to waiting for the user to approve the update. Most don’t care, don’t notice, and never will.

      3. Write your patches so that they’re smaller and in a way that does not require a reboot. Everyone else seems to be able to do this and download a 200meg update to go from 9.1 to 9.2 Pro is ridiculous when the software itself comes in a 300 meg package.

      Sane defaults and a good patch system go a long way towards security.

      1. Chris

        The problem with turning on auto updates by default is that Adobe’s auto update requires the user to have administrative rights. While a user having administrative rights on their home computers is fine it is a nightmare in the buisness environment. We are able to avoid most infections both virus and malware because our users to not have admin rights.

        1. drzaiusapelord

          Business environments will do updates via GP or other mechanism and will change the defaults. I don’t see this as a problem. As an admin I am almost never using the defaults, which are set for the home market anyway.

        2. Nitpicker

          I don’t agree that it’s “fine” for home users to run as admin 😉

          1. Chris

            Agreed, but if you try to explain to the average home user about running with administrator rights vs running with standard user rights they get the deer in the headlights look.

          2. xAdmin

            I always liked Aaron Margosis’ blog on non-admin stuff:

            “why wouldn’t you just want to log on as an admin all the time? Well, if you were a surgeon, would you always want to hold an unsheathed scalpel in your hand? Or would you prefer to keep it in a safe place until you actually need it? Does that metaphor work? How about “running with sharp scissors”? Well, let’s skip the metaphors, then.

            The #1 reason for running as non-admin is to limit your exposure. When you are an admin, every program you run has unlimited access to your computer. If malicious or other “undesirable” code finds its way to one of those programs, it also gains unlimited access.”

            Why you shouldn’t run as admin

            The easiest way to run as non-admin

          3. drzaiusapelord

            Well, they dont need to. The adobe updater can run as a service under SYSTEM credentials like WU does.

  5. Pete

    Brian, next time you talk to Adobe about their exploitware issues can you ask them when are adobe going to bite the bullet and remove all the features that get pwnd so regularly and then fix the reader thats left?

    Sandboxing bad code really is shutting the barn door after the horse has bolted.

  6. David

    Has anyone else noticed Adobe Reader updates reenabling javascript after it’s been disabled? I’m sure I disabled it months ago on every computer in our company that had Reader, but now it’s enabled again on most of them.

    1. Jane

      If it’s most instead of all, is it possible your users re-anabled it manually?

      1. David

        I had used the Adobe Customization Wizard 9 to make a custom installer. I couldn’t find a specific “disable javascript” checkbox in it, but it let me add custom registry keys to be installed, so I added HKCU/Software/Adobe/Acrobat Reader/9.0/JSPrefs/bEnableJS=0. I then installed it on each system, running as the current user.

        My initial assumption upon finding that javascript was still enabled was that it reset its options after the latest update (since it does reset a lot of other unsafe options on update, like displaying pdfs in browser, and reenabling its browser plugins), but maybe it just didn’t apply my change at all, and I hadn’t noticed. Though it doesn’t seem to be a commonly reported problem.

    2. drzaiusapelord

      Actually I noticed this myself recently. I think one of the .x updates resets settings. 9.1 to 9.2 perhaps. Or 9 to 9.1.

  7. xAdmin

    Funny to reference a pdf for the VirusTotal info on a post about exploiting a pdf reader. Even using Foxit Reader, I’ve grown to loathe the PDF format. Just give it to me in straight html or text! 🙂

    For Foxit users, I’d also recommend turning off JavaScript via Tools, Preferences, JavaScript and uncheck the box “Enable JavaScript Actions”. I don’t use pdf’s much, but have yet to run across a problem viewing any with JavaScript turned off in Foxit.

  8. Huh?

    Sorry I’m late to the party on this one, but this just sounds like the Malware writers are worried about the upcomine Adobe Sandbox. That I believe will really cut down on these sorts of problems. All that other stuff is just a band-aid. Potentially when Adobe does sandbox PDFs it will be more secure than Foxit.

    1. drzaiusapelord

      Actually, Foxit has a sandboxy-like feature with its secure reader option which is defaulted for PDFs in the browser. Adobe is just dragging its heels and at this point copying Foxit. Although, my understanding is that this will be a true sandbox or at least use Vista/7’s built-in protected mode functionality.

Comments are closed.