December 6, 2011

Malicious hackers are targeting a previously unknown security hole in Adobe Reader and Acrobat to compromise Microsoft Windows machines, Adobe warned today.

Adobe says attackers are taking advantage of a newly discovered critical flaw that exists in Adobe Reader X (10.1.1) and earlier versions for Windows and Mac systems, and Adobe Reader 9.4.6 and earlier 9.x versions for UNIX, as well as Adobe Acrobat X (10.1.1) and earlier for Windows and Mac machines. A security bulletin warns of reports that the vulnerability is being actively exploited in “limited, targeted attacks in the wild against Adobe Reader 9.x on Windows.”

Adobe said it plans to ship an emergency update to address the vulnerability in Reader 9.x and Acrobat 9.x on Windows no later than the week of Dec. 12. Citing protections built into newer versions of its software, however, Adobe said it would not fix the flaw in Reader X or Acrobat X versions for Windows, Mac, or UNIX versions until Jan. 10, 2012, the date of its next scheduled quarterly security update. Adobe’s Brad Arkin explains more about the company’s reasoning behind this decision in a blog post published along with the advisory.

If you are using Adobe Reader or Acrobat, take a moment to make sure you have the latest version. It also never hurts to consider one of several free PDF reader alternatives to Adobe, including Foxit, PDF-Xchange Viewer, Nitro PDF and Sumatra PDF.

Update, Dec. 8, 3:02 p.m., ET: As one commenter has already noted, Foxit has released a security update for its reader. The latest version, 5.1.3, is available from this link.

20 thoughts on “Attackers Hit New Adobe Reader, Acrobat Flaw

  1. Stan Rydzewski

    Note that the security advisory notes that “protected mode” must be enabled in the security options for reader/acrobat X to be secure against this. So if you use this stuff now would be a good time to verify that it is. Wouldn’t hurt to verify that the multimedia and javascript engines are disabled at the same time.

  2. Richard

    Any chance I should uninstall it til the updates are ready?

    1. Nic

      Uninstall it and replace it with Foxit Reader (free download).

      If after a few weeks Foxit doesn’t cut the mustard then just install the updated Adobe product. But if Foxit is working fine then don’t look back.

      You can’t lose. 🙂

    2. J.R. Murray

      I think we are overlooking a major point within the bulletin. Adobe recommends upgrading to Reader X because, to date, no exploits are reportedly functional against it.

      Yes, the flaw exists in 10.1.1 but the Protected Mode sandbox mitigates any exploitation damage. You cannot say that for any exploits against competing products such as FoxIt.

      Because Adobe Reader X Protected Mode and Adobe Acrobat X Protected View would prevent an exploit targeting this vulnerability from executing, we are planning to address this issue in Adobe Reader and Acrobat X for Windows with the next quarterly security update on January 10, 2012.

      This brings up a whole different topic of why they are not protecting users of Reader X with Protected Mode disabled, but I digress.

  3. John

    Thanks, Brian. On your advice, I switched to Foxit some time ago, and have never looked back. I love it, and it’s had hardly any security issues.

  4. qka

    Are the alternate readers listed that much secure; in other words, has anyone seriously tried to penetrate them? Or is it just security thru obscurity? Does everyone attack Adobe because they are the big guy and they leave the little guys alone?

    I’n not trying to start anything other than an informed conversation about the various options for PDF viewing.

    1. BrianKrebs Post author

      I think there’s a strong case to be made that non-Adobe readers are both far less targeted and contain a smaller attack surface — they have fewer features and a smaller code base. How often they are updated and how closely anyone is looking for security flaws in them is another set of questions that are harder to answer.

    2. JCitizen

      I believe Secunia does watch for vulnerabilities in the more popular alternatives to PDF readers. If they don’t watch your favorite, they have an avenue to request such analysis through their website. If they get enough requests, you can scan your applications either online or download the PSI utility to do in locally on your hard drive.

      According to this article at ZDNet Foxit is being monitored by Secunia:

  5. andy1

    Do you know if this is something that is exploited typically through a website that opens a pdf file (i.e. something that noscript can prevent) Or is it being exploited through email attachments?

    1. andy1

      meaning – I don’t open email attachments of which I don’t know the source, so that is relatively easy to screen. If I am just browsing to a website and it begins to load a PDF, that to me is more dangerous.

  6. Matt

    Adobe said it plans to ship an emergency update no later than the week of Dec. 12 to address the vulnerability in Reader 9.x and Acrobat 9.x on Windows no later than the week of Dec. 12.

  7. drzauisapelord

    Wait, so 10.x enables protected mode by default and this exploit does not work against protected mode. Do any of the media outlets care to report this fact? I’m not Adobe defender, but I do care about the facts and from what I can tell a typical 10.x install is immune from this attack. From my casual reading of all the published attacks since 10 came out, I don’t think any pierce the protected mode (which is just a broker process like how IE8+ is handled). This is actually really impressive for Adobe.

    Yeah, the 9.x branch is a security nightmare, but the 10.x product looks fine to me. And no, a lot of us business admins can’t just switch to low_featured_alternative without breaking a lot of things and upping our support load (why can’t I open this PDF?!?!?).

    1. TJ

      Obviously, everyone’s situation is different, but I’ve never had a business related (i.e., health care) PDF that I couldn’t open with Foxit.

    2. mechBgon

      Adobe runs Reader X at Low integrity too. I think they finally figured out the value of mitigation techniques after being dragged through the headlines ad infinitum. Now that they’re on the security bandwagon, I see no reason to ditch Reader. Every product will have bugs, not every product has a Low-integrity sandboxed padded cell to contain them.

      1. drzauisapelord

        This is how I feel. I’m actually impressed by 10.x. Its save to HTML is extremely clean, its new UI is easy to use, its OCR works well, and its protected mode seems to be working.

    3. F-3000

      “a lot of us business admins can’t just switch to low_featured_alternative without breaking a lot of things and upping our support load (why can’t I open this PDF?!?!?).”

      I would say, that instead of forcing users to use certain product just because you don’t want to produce fancy content that’s supposed to work equally on every viewer, business admins (and all other equals) should produce as minimal content as possible to ensure that it works for everyone, regardless of their viewer. (For comparison, would you really want to produce a website that’s available only for IE users, just because you want to include a function to it that’s propably not necessary, or “easier” to produce with a certain piece of code?)

      As an example, I bet there’s countless amount of PDF-files where is included “Print”-button straight on the document, which works only on Adobe Reader. Seriously, how necessary is such a button, when user most likely is aware of “Print”-option in the menu – which has been there like forever, and is quite similar and/or in similar location in almost all applications? Real trouble begins, when such (most likely) unnecessary “features” causes crashes of, malfunctioning, or failures to create proper appearance for the (non-Adobe) reader.
      (FYI, I’ve ran to such button, and out of “laziness” I tried to use it – but of course it didn’t work, because I wasn’t using Adobe Reader)

      Another example of misbehavior: I filled a form where was said that saving any added information was not possible. “Funny” though, I was able to save said document and the information I had added, because I wasn’t using Adobe Reader. Nowhere was said that saving it would be very unwise, because the form requested for very personal information, and the form was supposed to be “fill, print and forget”.

      Long, long ago, on my personal homepage on geocities, I put a “heart-shower” on the link-bar (burst of hearts that rained off the screen on click), and it worked only on IE. It was totally pointless and irrelevant “eye-candy”, which point was to annoy IE users. But eventually, one person said it was nice, otherwise I didn’t hear any comments about it. Yet, every visitor had to load the same data related to the function, and there was no certainty that the function would not stop working on later versions of IE (I think it did on some point), or that it would not break the page on later versions of any browser (including IE).

      IMHO, in case of public document, one way to consider the skill of a producer is to find out how well he produces content that is NOT dependent on a very specific application, but instead attempts to ensure that as many people as possible is able to read the information.

      By trying to produce as available content as possible also has such a benefit, that your content is not too tightly tied on the whims of an application and it’s developers. Meaning, that if Adobe changes something on it’s reader, your document most likely is not impacted in a negative manner.
      Now think of all those people who have created pages that are tagged with “Works only on IE”. With IE 8, it looks flawless, but by trying to view them with IE 9, there’s a huge chance that the whole site does not work, because M$ has all sudden chosen to simplify their product. I think that’s a very positive trend of them to stop making their own HTML and focus more on the standards, but that doesn’t help those people who have chosen to limit their production to one viewer. An extra buttload of work just because of that.

    4. kitchin

      In Reader 9.x, “check for updates” never suggests making the major update to Reader X, in my experience. Is the legacy feature trade-off that bad?

  8. Kent

    AFAIK, Foxit Reader also runs in some kind of protected mode.
    The last time I used it trying to click on a link or something in a pdf that tried to connect to the network in some fashion, I got an alert that I would have to allow this by changing the protection setting.

    But I would imagine it has it’s own flaws and needs for patching – just the nature of code and software in general.

Comments are closed.