Adobe preps PDF patches for Reader

Urges users to tweak Reader to protect against no-bug-necessary attacks

Adobe Systems Inc. on Thursday will announce the patches it plans to deliver for its PDF software next week as part of its quarterly security update process.

The impending updates will come on the heels of Adobe urging users yesterday to beef up defenses in its Reader and Acrobat applications. The company also said that it might issue a patch for a design flaw that lets attackers run executable code on a Windows PC from a malformed PDF without needing to exploit an actual vulnerability.

It's unlikely that that patch will appear next week, however.

Like Microsoft Corp., Adobe notifies users prior to issuing security updates for its software, providing bare-bones information to give consumers and corporate administrators a heads-up. Adobe will issue patches for Reader and Acrobat on Tuesday, April 13, the same day Microsoft will release updates for its operating system and other software products.

There are no publicly known unpatched security vulnerabilities in Adobe Reader and Acrobat, according to the Danish bug-tracking firm Secunia. Any updates next week, then, will address privately-reported vulnerabilities or bugs that Adobe's own security engineers have uncovered.

But there is the PDF design flaw. Last week, Belgium researcher Didier Stevens demonstrated how a multistage attack using the PDF specification's "/Launch" function could successfully exploit a fully-patched copy of Adobe Reader.

Stevens' technique does not require an underlying vulnerability in Adobe Reader, but instead relies on social engineering tactics to dupe users into opening a malicious PDF. In his demo last week, Stevens used a PDF document containing attack code that he was able to execute using the /Launch function. Although Reader and Acrobat display a warning when an executable inside a PDF file is launched, Stevens found a way to partially modify the alert to further trick a potential victim into approving the action.

Using Stevens' tactic, hackers would be able to exploit an up-to-date copy of Adobe Reader.

Last week, Adobe acknowledged that Stevens' attack used a legitimate feature built into Reader and Acrobat, and the company said that it was investigating his claims. At the time, Adobe declined to say whether it planned to update its software in response.

Yesterday, Adobe softened somewhat, saying that it had not ruled out a patch. "We're always looking at options," said company spokeswoman Wiebke Lips. "There are a few options to potentially further protect users." Among those options, she said, was a security update that would patch Reader and Acrobat. Lips declined to commit Adobe to a patch or timetable if the company decides to craft one.

Earlier Tuesday, an Adobe manager echoed Lips. "We are currently researching the best approach for this functionality in Adobe Reader and Acrobat, which we could conceivably make available during one of the regularly scheduled quarterly product updates," said group product manager Steve Gottwals in an entry on a company blog.

Gottwals also pointed out that consumers and corporate IT administrators can block Stevens-style attacks by rejiggering Reader and Acrobat. By unchecking a box marked "Allow opening of non-PDF file attachments with external applications" in the programs' preferences pane, consumers can stymie attacks. By default, Reader and Acrobat have the box checked, meaning that the behavior Stevens exploited is allowed.

Administrators can force users' copies of Reader and Acrobat into the unchecked state by pushing a change to Windows' registry, Gotwalls added.

While there are no unpatched PDF vulnerabilities on the loose in the public domain, Adobe does have work to do, a prominent researcher said two weeks ago at the CanSecWest security conference, where he won a $10,000 prize for hacking Apple's Safari browser.

According to Charlie Miller, the only hacker to ever "three-peat" at the Pwn2Own hacking contest, Adobe Reader has at least three, possibly four, unpatched exploitable vulnerabilities.

At the conference, Miller walked others through the "dumb fuzzing" process he used to root out 20 vulnerabilities in products from Adobe, Apple, Microsoft and OpenOffice.org. Rather than give those vendors details of the bugs he found, Miller urged the companies to find the flaws themselves by replicating his methods.

During Miller's investigation, he ran more than 3 million PDF documents through his fuzzers -- automated tools that stress-test file formats to uncover possible flaws -- and found four he said were exploitable. He called at least one of those "a nasty bug" because it accounted for more than 30 crashes in a single fuzzed file.

Although representatives from Adobe, Apple and Microsoft were at the CanSecWest conference, only Microsoft's approached him to ask questions about how to duplicate his work, Miller said.

However, Miller and Brad Arkin, Adobe's director for product security and privacy, did trade tweets over Twitter. "Call me egotistical, but give me 2 years on the Reader team and I'd make a pretty solid proggie," Miller boasted last week in a reply to Arkin.

"Send me your proposal and rate. If you've got a compelling plan I'll be happy to pay for your services," Arkin said later.

When asked after the Twitter exchange if he was taking Adobe's challenge seriously and would consider working for the company, Miller said, "No, just saying I could make that program solid. They couldn't afford me."

Adobe will release its Reader and Acrobat patch plans Thursday, April 8, at around 1 p.m. Eastern time.

Photo of Adobe screen
To protect Reader and Acrobat against Didier Stevens' attack tactic, users should disable the feature that lets the software launch other programs, Adobe says.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies