February 15, 2013

Adobe is warning that attackers are exploiting critical flaws in its PDF Reader and Acrobat software to break into vulnerable systems, and that the exploit being used in attacks evades the sandbox protection built into these products.

adobeshatteredThe company issued an advisory about the threat on Wednesday, which confirms many of the details first disclosed by security firm FireEye earlier this week. FireEye has since posted a follow-up blog entry that sheds some additional light on how this attack works.

According to Adobe, there are two vulnerabilities in play here, and they exist in the latest versions of its software, including Adobe Reader and Acrobat XI (11.0.01 and earlier) for Windows and Macintosh, X (10.1.5 and earlier) for Windows and Macintosh, 9.5.3 and earlier for Windows and Macintosh, and Adobe Reader 9.5.3 for Linux.

Adobe says it is aware of reports that these vulnerabilities are being exploited in the wild in targeted attacks designed to trick Windows users into clicking on a malicious PDF file delivered in an email message. The software maker added that it is in the process of working on a fix for these issues.

In the meantime, Windows users of Adobe Reader XI and Acrobat XI can protect themselves from the security exploit by turning on Protected View, as follows: To enable this setting, choose the “Files from potentially unsafe locations” option under the Edit > Preferences > Security (Enhanced) menu.

For those spooked enough to avoid Adobe until a fix is available, there are several other free PDF reader programs available. I have been using Sumatra PDF for some time, and prefer it because it seems very lightweight and fast. Foxit Reader is another popular alternative.

This entry was posted on Friday 15th of February 2013 11:45 AM


34 thoughts on “Zero-Day Flaws in Adobe Reader, Acrobat

  1. AdobeX

    > “Open Reader or Acrobat. Click on the Edit menu, select Preferences, and then click on the Security (or Security Enhanced) option. In the Protected View section at the top of the window, click on the button to enable “Files from potentially unsafe locations” and then click OK.”

    These options do not appear to exist in Adobe Acrobat X 10.1.5 for OS X, either in Security, Advanced Preferences, or Security (Enhanced).

    1. Moike

      “These options do not appear to exist in Adobe Acrobat X 10.1.5 for OS X, either in Security, Advanced Preferences, or Security (Enhanced).”

      Also the options do not appear here with Win7. I have disabled a number of other miscellaneous paraphernalia such as scripting and some automatic multimedia invocation. Not sure why the options don’t show up here though.

    2. Jonathan

      That’s right, they only exist in Reader XI, not Reader X.

  2. Chuck

    Do any Krebs followers know whether this vulnerability is also present in other PDF readers, such as PDF-Xchange?

  3. Artem

    Adobe said “When Protected View in enabled, PDFs are displayed in a restricted environment called a sandbox. “. But what this mean “sandbox is bypassed by this 0day” if it in turned off state by default?

  4. Bill

    Is there a group policy setting for this to turn on Protected View as the default?

    1. Andrew Zizzo

      Yep. Adobe has a GP template on their website for Acrobat XI and that’s one of the options

    2. Jason

      Not a GPO, but a registry key can set it:
      In HKLM\SOFTWARE\Policies\Adobe\Acrobat Reader\11.0\FeatureLockDown create two DWords:
      bEnhancedSecurityInBrowser=00000001
      bEnhancedSecurityStandalone=00000001

      Change the 11.0 to 10.0 or 9.0 as appropriate.

      1. Jason

        Whoops, missed the other two:
        also set iProtectedView=1 and bProtectedMode=1 as DWords in the same key.

  5. Gary Benjamin

    Looks liks Sumatra is a good choice but does anyone know how often they patch their reader?

  6. Bill

    It’s worth noting that, according to Microsoft, EMET defends against this zero day (see @msftsecresponse on Twitter).

    1. BK

      Thanks for the note on EMET. However, I had to manually add the version 11 executable as it was not included in the “All” profile installed on my comp. Are the profile files routinely updated and, if so, can the profile files be updated w/o reinstalling EMET?

      1. mechBgon

        The EMET configuration files are static, so you took the right approach by adding Reader 11 manually. I suggested to Microsoft’s public contact that they could build EMET into Microsoft Security Essentials and update its protection list as part of the antivirus signatures, and maybe they’re considering it after an AV-testing outfit dinged MSE for not stopping enough zero-days. But for now, MSE’s stock deployment templates don’t update themselves.

        When you start EMET, it shows a list of running processes, so you may want to review that list for other software you want to add, and/or search through your Program Files and Program Files (x86) directories for other likely targets.

        I’ve been setting up Reader to open files in Protected View by default for quite a while (this guy has some additional tips: http://security.thejoshmeister.com/2010/05/7-easy-steps-to-increase-adobe-reader.html ). But I recently upgraded most of our computers to Win8 Pro at work, which has its own “vanilla” PDF reader. The Win8 PDF reader runs in an AppContainer (read: highly-restricted sandbox). It doesn’t have excessive features/attack surface, unlike Adobe Reader (which I suspect is so feature-laden because it’s geared to sell Adobe Acrobat). And Win8’s reader, being a Windows component, updates itself fine for non-Admins, even with a Software Restriction Policy in place. So for those of you with Windows 8, see if the built-in PDF reader will get the job done for you.

        1. mechBgon

          Ooops, typo. I meant to say that EMET’s stock deployment templates don’t update themselves, not MSE’s.

        2. JimboC

          I have found that I have not needed to make any changes to my security settings within Adobe Reader 11 to protect against this flaw since I have set all PDF files to always open in Enhanced Protected Mode. I have only needed to view a PDF outside of this mode twice (in order to print it) since installing it back in October.

          I would recommend only using one PDF reader application since anymore and you are simply adding extra overhead and time for you to keep them up to date. The more applications you use the more ways a potential attacker could exploit them.

          For any application you choose, I would recommend protecting it with EMET (version 3.0 or 3.5 Tech Preview). For example the US-CERT provides a video of adding Sumatra PDF to EMET at the following link:

          http://www.youtube.com/watch?v=28_LUs_g0u4

          In addition to the advice provided by mechBgon about security settings within Adobe Reader, the following forum post may also provide advice about how to secure the settings within Adobe Reader 10 (and later versions).

          http://www.bleepingcomputer.com/forums/topic362758.html

          If you have Google Chrome installed on your computer you can use it to view PDFs (not sure if this also works for Mac OS X). Details of this workaround are available at the following link:

          http://www.h-online.com/security/news/item/Adobe-recommends-workaround-for-critical-holes-in-Reader-1803516.html

          I hope this helps. Thank you.

        3. JimboC

          mechBgon’s comment about using the PDF Reader app of Windows 8 is an excellent suggestion since it is extremely hardened from attack due to the presence of the security mitigations added by Microsoft a detailed on page 38 of the following Microsoft Windows 8 Security PDF:

          http://media.blackhat.com/bh-us-12/Briefings/M_Miller/BH_US_12_Miller_Exploit_Mitigation_Slides.pdf

          My suggestion of using EMET for as many applications as possible is due to the advice on pages 16 and 40 of this PDF i.e. that attacker’s focus will now switch to less hardened applications and applications that load at predictable locations in memory.

          We need to make the job of an attacker as hard as possible.

          Thanks.

          1. mechBgon

            Thanks for all your useful info JimboC 🙂

            Tangentially, in Miller’s presentation that you mentioned, on page 32 he mentions that Win8 also supports a new hardware-level CPU security feature similar to Data Execution Prevention, with the acronym SMEP. For the security-minded folks, if you’ll be buying (or building) Windows 8 systems, check whether the CPU supports SMEP. SMEP complicates exploitation by preventing the OS kernel from executing code in memory space marked as user.

            As of early 2013, SMEP is supported on Intel processors with Ivy Bridge cores, which are used in the _latest_ versions of the Celeron, Pentium, Core i3/i5/i7 and some Xeons. A little homework will net you a nice hardware-based security bonus 🙂

            1. JimboC

              Hi mechBgon,

              I am glad you liked the information that I posted. The presentation from Matt Miller contains the best information about Windows 8 Security that I have encountered.

              I have some links to more info about SMEP if you are interested? For example, some researchers have found ways to partially bypass it.

              Thanks.

              1. mechBgon

                I’ve read a number of papers and articles on SMEP already, and absorbed about as much information as my non-coder brain can take 🙂 It boiled down to “wow, I wish the computers in my SOHO fleet had SMEP-capable CPUs.” I wonder if Microsoft will backport SMEP support to Win7, have you read anything along those lines?

                1. JimboC

                  No, I’m afraid that I have not read anything that suggests it will be back-ported to Windows 7.

                  I read that Windows 8 is one of the first of any OS to have support for SMEP. SMEP has been in the making for over a year. It was added to Windows 8 before the Ivy Bridge CPUs came to the market.

                  I may or may not upgrade my CPU to an Ivy Bridge CPU. My motherboard does support it but I have my doubts about buying a new CPU just for a security feature.

                  Thanks.

  7. ellenc

    I’ve been using Foxit for years but a few weeks ago, a security warning was issued and I switched to Acrobat. Now I’ll have to switch to another pdf.
    It was a big surprise to get a warning about Foxit.

    1. Heron

      I stopped using Foxit when it started rearranging the items on our desktop whenever we updated it. (This was back when we had a computer that ran XP.) I’m happy with Sumatra nowadays.

  8. Vee

    For anyone looking to dump Adobe Reader:

    I just started using an open source .pdf reader called Evince and I’ve found that it’s not only less bloaty than Adobe Reader, it doesn’t even install a Firefox plugin to read .pdf (GOOD!). So for the few things I come across as .pdf I just have to download them and then open them.

    nov, a commenter on here had also recommend me PDF-Xchange which is another great one.

    I don’t know. I don’t know what to think of the whole “Well are these just safer cause they’re lesser known and in fact probably very well have tons of exploits yet to be discovered?” Sure, no doubt. But I also know Adobe Reader isn’t going to stop being the main one to target, every computer I’ve ever come across has a copy installed (and of course usually outdated). But even then it’s nice to use something different. I’ve been stuck with Adobe Reader since the 90s so even on that change isn’t bad.

    1. Steve Lembark

      Catch: Evince is Gnome. Doesn’t help anyone running another desktop.

      Another approach is using lxc to simply sandbox adobe into its own filespace. Read the pdf’s from a tmpfs and unmount it after use: no trace of the document or any effects it has on the O/S remain.

  9. Stratocaster

    When you click on the Reader link on the homepage, it directs you to 10.1.4, not even 10.1.5. Whassup with that? If you do the menu thing instead, for some, but not all, Windows versions, you can select 11.0.0.1 from the pull-down menu.

Comments are closed.