Adobe preps PDF patches for Reader
Urges users to tweak Reader to protect against no-bug-necessary attacks
Computerworld - Adobe Systems Inc. on Thursday will announce the patches it plans to deliver for its PDF software next week as part of its quarterly security update process.
The impending updates will come on the heels of Adobe urging users yesterday to beef up defenses in its Reader and Acrobat applications. The company also said that it might issue a patch for a design flaw that lets attackers run executable code on a Windows PC from a malformed PDF without needing to exploit an actual vulnerability.
It's unlikely that that patch will appear next week, however.
Like Microsoft Corp., Adobe notifies users prior to issuing security updates for its software, providing bare-bones information to give consumers and corporate administrators a heads-up. Adobe will issue patches for Reader and Acrobat on Tuesday, April 13, the same day Microsoft will release updates for its operating system and other software products.
There are no publicly known unpatched security vulnerabilities in Adobe Reader and Acrobat, according to the Danish bug-tracking firm Secunia. Any updates next week, then, will address privately-reported vulnerabilities or bugs that Adobe's own security engineers have uncovered.
But there is the PDF design flaw. Last week, Belgium researcher Didier Stevens demonstrated how a multistage attack using the PDF specification's "/Launch" function could successfully exploit a fully-patched copy of Adobe Reader.
Stevens' technique does not require an underlying vulnerability in Adobe Reader, but instead relies on social engineering tactics to dupe users into opening a malicious PDF. In his demo last week, Stevens used a PDF document containing attack code that he was able to execute using the /Launch function. Although Reader and Acrobat display a warning when an executable inside a PDF file is launched, Stevens found a way to partially modify the alert to further trick a potential victim into approving the action.
Using Stevens' tactic, hackers would be able to exploit an up-to-date copy of Adobe Reader.
Last week, Adobe acknowledged that Stevens' attack used a legitimate feature built into Reader and Acrobat, and the company said that it was investigating his claims. At the time, Adobe declined to say whether it planned to update its software in response.
Yesterday, Adobe softened somewhat, saying that it had not ruled out a patch. "We're always looking at options," said company spokeswoman Wiebke Lips. "There are a few options to potentially further protect users." Among those options, she said, was a security update that would patch Reader and Acrobat. Lips declined to commit Adobe to a patch or timetable if the company decides to craft one.
Earlier Tuesday, an Adobe manager echoed Lips. "We are currently researching the best approach for this functionality in Adobe Reader and Acrobat, which we could conceivably make available during one of the regularly scheduled quarterly product updates," said group product manager Steve Gottwals in an entry on a company blog.
Gottwals also pointed out that consumers and corporate IT administrators can block Stevens-style attacks by rejiggering Reader and Acrobat. By unchecking a box marked "Allow opening of non-PDF file attachments with external applications" in the programs' preferences pane, consumers can stymie attacks. By default, Reader and Acrobat have the box checked, meaning that the behavior Stevens exploited is allowed.
Administrators can force users' copies of Reader and Acrobat into the unchecked state by pushing a change to Windows' registry, Gotwalls added.
While there are no unpatched PDF vulnerabilities on the loose in the public domain, Adobe does have work to do, a prominent researcher said two weeks ago at the CanSecWest security conference, where he won a $10,000 prize for hacking Apple's Safari browser.
According to Charlie Miller, the only hacker to ever "three-peat" at the Pwn2Own hacking contest, Adobe Reader has at least three, possibly four, unpatched exploitable vulnerabilities.
At the conference, Miller walked others through the "dumb fuzzing" process he used to root out 20 vulnerabilities in products from Adobe, Apple, Microsoft and OpenOffice.org. Rather than give those vendors details of the bugs he found, Miller urged the companies to find the flaws themselves by replicating his methods.
During Miller's investigation, he ran more than 3 million PDF documents through his fuzzers -- automated tools that stress-test file formats to uncover possible flaws -- and found four he said were exploitable. He called at least one of those "a nasty bug" because it accounted for more than 30 crashes in a single fuzzed file.
Although representatives from Adobe, Apple and Microsoft were at the CanSecWest conference, only Microsoft's approached him to ask questions about how to duplicate his work, Miller said.
However, Miller and Brad Arkin, Adobe's director for product security and privacy, did trade tweets over Twitter. "Call me egotistical, but give me 2 years on the Reader team and I'd make a pretty solid proggie," Miller boasted last week in a reply to Arkin.
"Send me your proposal and rate. If you've got a compelling plan I'll be happy to pay for your services," Arkin said later.
When asked after the Twitter exchange if he was taking Adobe's challenge seriously and would consider working for the company, Miller said, "No, just saying I could make that program solid. They couldn't afford me."
Adobe will release its Reader and Acrobat patch plans Thursday, April 8, at around 1 p.m. Eastern time.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.
Read more about Security in Computerworld's Security Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Alert Logic for PCI DSS Compliance To achieve PCI DSS compliance, you must identify and remediate all critical vulnerabilities detected during PCI scans. Threat Manager streamlines this process by...
- Cybersecurity Imperatives Reinvent Your Network Security With Palo Alto Networks The Rise of CyberSecurity
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts