Adobe patches PDF bugs hackers already exploiting
Fixes 17 flaws in Reader and Acrobat, gets kudos for rush job
Computerworld - Adobe on Tuesday patched 17 critical vulnerabilities in Reader and Acrobat, including one that hackers have been using for nearly a month to commandeer PCs.
Another patch fixed a design flaw in the PDF format that attackers have been exploiting since April to dupe users into downloading a Trojan horse.
Adobe rushed the security update, which was originally slated to ship July 13, because exploit code went public and attacks using rigged PDF documents started showing on antivirus vendors' reporting systems four weeks ago. The company patched Flash -- hackers were tricking people into visiting malicious sites, then using the same bug to launch drive-by attacks -- on June 10.
Sixteen of the 17 fixed flaws were labeled with the phrase "could lead to code execution" in Adobe's advisory, the company's way of saying that the bug was critical and could be used to hijack machines. Like Apple, and unlike Microsoft, Adobe doesn't rate the severity of the vulnerabilities it patches. The seventeenth patch was also likely critical: "Arbitrary code execution has not been demonstrated, but may be possible," the advisory read.
Another fix addressed a design problem in the PDF document format that could be leveraged to con users into downloading malware. The bug, which was not strictly a security vulnerability, was first disclosed by Belgium researcher Didier Stevens in late March. Stevens demonstrated how a multi-stage attack using the PDF specification's "/Launch" function could successfully exploit a fully-patched copy of Adobe Reader. Stevens also showed how a Reader warning could be changed to further fool users.
Hackers have been using Stevens' technique in mass attacks to infect Windows PCs with bot Trojans.
With the updates to versions 9.3.3 and 8.2.3, Adobe changed Reader and Acrobat so that the /Launch function was disabled by default -- in earlier editions it had been turned on -- and fixed the bug in the warning dialog so hackers couldn't modify it. "Today's update includes changes to resolve the misuse of this command," said Steve Gottwals, an Adobe group product manager, on a company blog. "We added functionality to block any attempts to launch an executable or other harmful objects by default. We also altered the way the existing warning dialog works to thwart the known social engineering attacks."
Stevens confirmed the fixes in a post to his blog Tuesday. "Not only is the dialog box fixed, but the /Launch action is also disabled by default," he said.
Five of the 17 bugs Adobe patched Tuesday were reported by Tavis Ormandy, the Google security engineer who was at the center of a brouhaha earlier this month after he publicly disclosed a vulnerability in Windows when Microsoft wouldn't commit to a patching deadline.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts