Unpatched PDF bug poses growing threat, say researchers

Computerworld - An unpatched bug in popular PDF viewing and editing applications is much more dangerous than first thought, according to security researchers who have created exploits that sidestep Adobe's defensive recommendations.

Adobe Systems Inc. has known about the vulnerability in its Reader and Acrobat software since mid-January, but will not patch the problem until next Wednesday, March 11.

The bug first made news two weeks ago, when Adobe confirmed the problem and pegged it as critical. Within days, other reports surfaced that in-the-wild attacks have exploited the flaw since early January.

Although Adobe recommended that users disable JavaScript in Reader and Acrobat to protect themselves from the current attacks, other researchers now say that such a move may not help.

Last week, a researcher who works at the Danish vulnerability tracker Secunia said he had come up with an exploit that didn't rely on JavaScript. "During our analysis, Secunia managed to create a reliable, fully working exploit which does not use JavaScript and can therefore successfully compromise users who may think they are safe because JavaScript support has been disabled," Carsten Eiram, chief security specialist, said in an entry to the company's blog.

On Tuesday, David Aitel, founder and chief technology officer at Immunity Inc., made the same claim. "Things like this are harder than they look," he said in a message to his Dailydave security mailing list. "Pablo and Kostya had to work quite a bit on reliability every step of the way. But the Acrobat JBIG exploit now works nicely without any JavaScript heap spray." The exploit has been added to CANVAS, Immunity's commercial penetration testing product.

The next day, Wednesday, Belgian security researcher Didier Stevens said he also had crafted an exploit that triggers the bug without requiring JavaScript, and backed up his claim by publicly posting proof-of-concept attack code. His exploit works in the background, and doesn't require that a user actually open a malformed PDF file.

"Under the right circumstances, a Windows Explorer Shell Extension will read the PDF document to provide extra information, and in doing so, it will execute the buggy code and trigger the vulnerability ... just like it would when you would explicitly open the document," Stevens said in a blog post.

Adobe has acknowledged that its advice to disable JavaScript wouldn't be a panacea. In an interview last week, Brad Arkin, Adobe's director for product security and privacy, admitted that only the forthcoming patch would completely protect users. "Disabling JavaScript does not provide a full mitigation," Arkin said. "It protects against one form of attack. To the best of our understanding, there's no product configuration that can completely mitigate the threat."

Arkin also defended Adobe's patching pace, which has come under fire as being too sluggish. "We were contacted by one of our partners on Jan. 16 when they shared an exploit that they had found in the wild," he said. "That kicked off our investigation and we began working on a fix immediately."

Adobe plans to patch Reader and Acrobat 9 next week, and will follow that with fixes for Versions 7 and 8 of both applications on March 18. "We're doing everything we can, and we intend [meet] to those deadlines," said Arkin.

Some security researchers have urged users to do more than turn off JavaScript in Adobe Reader. "From my point of view, Adobe Reader has become the new IE," Mikko Hypponen, chief research officer at Helsinki, Finland-based F-Secure Corp., said in a blog entry last week. "For security reasons, avoid it if you can."

Adobe has said it will post a notification on its security site when it issues patches next week.

Read more about security in Computerworld's Security Knowledge Center.