Adobe hits Reader users with 23-patch 'whammy'
Fixes flaw used by attackers for past month, starts talking about sandboxing protection tech
Computerworld - Adobe patched 23 security vulnerabilities in its Reader PDF viewer on Tuesday, most of them critical, including one that has been exploited by hackers for at least a month or possibly much longer.
Tuesday's patch job set a record for 2010, and came close to last year's biggest update, a 29-fix collection Adobe shipped in October 2009.
In September, Adobe promised to speed up the delivery of today's patches, which were originally meant to ship next week, because attackers were already leveraging a bug in Reader's and Acrobat's font parsing.
"Adobe is hitting customers with a double whammy today," Andrew Storms, director of security operations at nCircle Security, said via e-mail. "Adobe products continue to be at the top of the target list for malware writers."
"They patched a zero-day flaw in Flash in late September, and today they are releasing their quarterly Acrobat update ahead of schedule because of another zero-day," Storms said.
Tuesday's Reader and Acrobat updates also included a patch released more than two weeks ago for Flash, Adobe's media player. Both Reader and Acrobat include code to run Flash embedded in PDF documents.
Of the 23 bugs Adobe patched, the most notable was the one revealed Sept. 7 by Mila Parkour, an independent security researcher who reported the attack after discovering rigged PDFs attached to e-mail messages.
The vulnerability and attacks received the label "David Leadbetter" after the renowned golf swing coach whose name was used in the subject line of many of those e-mails.
The Leadbetter exploit was called "scary," "clever" and "impressive" by various security researchers in September, in part because it bypassed important defensive measures that Microsoft has built into Windows, ASLR (address space layout randomization) and DEP (data execution prevention).
Most of the attacks using the Leadbetter exploit were "targeted" -- aimed at specific individuals or companies -- rather than used in massive campaigns.
The exploit also relied on a stolen digital certificate to sign some of its files, another hint at a greater-than-average level of sophistication. Chet Wisniewski, a senior security adviser at security software vendor Sophos, compared the exploit to the Stuxnet worm, which also used pilfered certificates.
Wisniewski also noted that the Leadbetter exploit's stolen certificate had signed one component of the malware in 2009, a clue that the attack code, or at least part of it, had been circulating since then.
Of the 23 vulnerabilities patched today, 20, or 87% of the total, were tagged with the phrase "could lead to code execution" by Adobe in its accompanying bulletin.
Unlike some vendors, such as Microsoft, Adobe does not assign threat ratings to bugs in its products, but "code execution" means that attackers could exploit the flaws to hijack the computer.
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Advanced Threat Defense: A Comprehensive Approach In this interview, Peter George, president, General Dynamics Fidelis Cybersecurity Solutions, explains why we need more than anti-malware, and what constitutes a comprehensive...
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Why Are Customers Really Deploying an NGFW? It seems every IT Security expert is talking about the NGFW, but what are people really doing? This webcast covers 5 real-world customer... All Malware and Vulnerabilities White Papers | Webcasts