Hackers exploit this year's fourth PDF zero-day
Adobe promises patch next Tuesday, same day as massive Microsoft security roll-out
Computerworld - For the fourth time this year, Adobe has admitted that hackers used malicious PDF documents to break into Windows PCs.
The bug in the popular Reader PDF viewer and the Acrobat PDF maker is being exploited in "limited targeted attacks," Adobe said yesterday. That phrasing generally means hackers are sending the rigged PDF documents to a short list of users, oftentimes company executives or others whose PCs contain a treasure trove of confidential information.
Adobe promised to patch the vulnerability on Tuesday, Oct. 13, the same day that Microsoft plans to issue its biggest-ever collection of security updates.
The bug exists in Reader and Acrobat versions 9.1.3 and earlier on Windows, Mac OS and Linux, said Adobe in a security advisory published Thursday, but as far as the company knows, it is being exploited only to hijack Windows PCs. "There are reports that this issue is being exploited in the wild in limited targeted attacks," said Adobe. "The exploit targets Adobe Reader and Acrobat 9.1.3 on Windows."
Adobe will plug the hole next week as part of its quarterly security update for Reader and Acrobat. Last June, Adobe announced it would follow the lead of companies like Microsoft and Oracle and release regular security updates for Reader and Acrobat.
Originally, Adobe was to post patches last month, but a scramble during July to fix several flaws, including some introduced by Microsoft in a code "library" used by its own developers, as well as those in other companies, wreaked havoc on Adobe's schedule. It said more than a month ago that it would instead push the patch date into October.
Until a patch is released next week, Windows Vista and Windows 7 users can protect themselves by enabling Data Execution Prevention (DEP), a security feature designed to stop some kinds of exploits -- buffer overflow attacks in particular -- by blocking code from executing in memory that's supposed to contain only data. Instructions on how to enable DEP are available on Microsoft's support site.
Adobe has struggled this year to stay ahead of hackers. In March, the company quashed a PDF bug that attackers had been using for more than two months. It again patched Reader and Acrobat in May to block another zero-day.
In July Adobe fixed a Flash PDF-related flaw that was being used by hackers.
Next Tuesday's Reader and Acrobat updates will also patch a unknown number of other vulnerabilities, Adobe said.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts