Kill JavaScript in Adobe Reader to ward off zero-day exploit, experts urge

Computerworld - Users should disable JavaScript in Adobe's Reader and Acrobat tools to protect themselves until a patch for a just-disclosed vulnerability is available, security experts said today.

The advice is timely, as noted bug researcher and exploit maker HD Moore confirmed that an exploit would be published to the open-source Metasploit penetration testing framework within a day or two.

Shadowserver, a volunteer-run group that tracks vulnerabilities, was the first to urge users to switch off JavaScript. "We have said it before and we will say it again: Disable JavaScript," the group said in a Monday post to its blog.

Although Shadowserver purposefully kept much of what it knew to itself, the group confirmed that JavaScript was involved. "We can tell you that this vulnerability is actually in a JavaScript function within Adobe Acrobat [and] Reader," Shadowserver claimed. "Furthermore, the vulnerable JavaScript is obfuscated inside a 'zlib' stream making universal detection and intrusion detection signatures much more difficult."

Moore, the creator of Metasploit and chief security officer for security company Rapid7, echoed Shadowserver's advice. "Disabling JavaScript does prevent the vulnerable code from being called," Moore said in an e-mail to Computerworld Tuesday.

To disable JavaScript in Adobe Reader or Acrobat on Windows, users must select Preferences from the Edit menu, choose "JavaScript," then uncheck the "Enable Acrobat JavaScript" option. (On the Mac, Preferences is under the "Adobe Reader" or "Adobe Acrobat" menus.)

Turning off JavaScript may be the only defense against attack until Adobe patches the problem. And it may be nearly a month before that happens: Adobe's next regularly-scheduled security updates for Reader/Acrobat are to ship Jan. 12, 2010.

But if Moore's preliminary work is any indication, attack code will go public long before then. "It is a little tricky to make reliable, but we are on track and should have a Metasploit update ready within a day or two at the latest," Moore said, referring to the probable release of an exploit module for the testing framework. Moore obtained a sample of the malicious PDF document being used to exploit the bug only this morning.

Moore also defended Metasploit's practice of providing working exploit code to anyone, including hackers. "Since the bug is 1) public and 2) widely exploited, we feel that adding an exploit module is the right thing to do, as it provides a safe way for folks to verify that their mitigation efforts actually work," said Moore.

Adobe will release its own in-lieu-of-patch recommendations later today, said Brad Arkin, Adobe's director for product security and privacy, in a direct tweet to Computerworld. "Full advisory coming later today with mitigation details," Arkin said around 3 p.m. Eastern. "Team is pulling that info together now."

Earlier today, Arkin told IDG News Service reporter Bob McMillan that the exploit targeted Windows users only. "It may trigger a crash on other platforms, but not an exploit," Arkin said in a direct tweet to McMillan.

Adobe Reader and Acrobat run on Windows, Mac OS X and Linux.

Read more about Security in Computerworld's Security Topic Center.