Adobe won't patch latest PDF zero-day until Jan. 12
Public exploit already available, portends widespread attacks soon
Computerworld - Adobe won't patch the newest critical vulnerability in its PDF viewing and editing software for another four weeks, even though attack code has been publicly released.
Adobe's plan to patch next month means that most users will be at risk until then, as researchers have already crafted a working, if not always reliable, exploit for the vulnerability.
HD Moore, the creator of the open-source Metasploit penetration testing framework, and chief security officer for security company Rapid7, said yesterday that he had worked up attack code for the Reader/Acrobat zero-day bug. "We managed to get the exploit sorted out faster than I thought," said Moore in an e-mail to Computerworld yesterday. "It's now available through the online update feature of Metasploit."
He also announced the exploit module's availability via his Twitter feed.
The exploit is not 100% reliable, however. In a reply to a tweet asking why the Metasploit exploit module wasn't working for one user, Moore explained: "tricky bug and some non-english locale's overlap with the heap spray, we should have an update soon."
Unlike other penetration testing frameworks -- such as CANVAS, which is developed by Miami Beach-based Immunity -- the open-source Metasploit doesn't charge for its exploits. That lets hackers, as well as legitimate security researchers, get their hands on working attack code.
The appearance of an exploit on Metasploit increases the chance that widespread attacks will begin, said Joshua Talbot, a security intelligence manager in Symantec's security response team. "An exploit in Metasploit lets hackers build on that code," said Talbot, referring to the leg-up attackers receive from Moore's work.
For his part, Moore defended Metasploit's practice of providing working exploits to anyone. "Since the bug is 1) public and 2) widely exploited, we feel that adding an exploit module is the right thing to do, as it provides a safe way for folks to verify that their mitigation efforts actually work," Moore said in a Tuesday e-mail.
Hackers are already exploiting the Adobe bug in the wild, said Symantec's Talbot, although the volume of attacks remains low and the campaign has targeted a relatively small number of people. Those users have received e-mail messages with attached PDF files masquerading as briefing notes or interview requests from the CNN cable news channel. According to the Contagio malware dump Web site, which posted several examples of attack messages, the Adobe bug has been actively exploited since at least Nov. 30.
The targeted attacks have used the Reader/Acrobat vulnerability to drop information-stealing malware onto victims' PCs, said Symantec in its technical write-up of the attack code.
When it issues the update next month, Adobe will post it to its security support site.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter @gkeizer, send e-mail at firstname.lastname@example.org or subscribe to Gregg's RSS feed .
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts