Skip the navigation

Adobe hits Reader users with 23-patch 'whammy'

Fixes flaw used by attackers for past month, starts talking about sandboxing protection tech

October 5, 2010 09:15 PM ET

Computerworld - Adobe patched 23 security vulnerabilities in its Reader PDF viewer on Tuesday, most of them critical, including one that has been exploited by hackers for at least a month or possibly much longer.

Tuesday's patch job set a record for 2010, and came close to last year's biggest update, a 29-fix collection Adobe shipped in October 2009.

In September, Adobe promised to speed up the delivery of today's patches, which were originally meant to ship next week, because attackers were already leveraging a bug in Reader's and Acrobat's font parsing.

"Adobe is hitting customers with a double whammy today," Andrew Storms, director of security operations at nCircle Security, said via e-mail. "Adobe products continue to be at the top of the target list for malware writers."

"They patched a zero-day flaw in Flash in late September, and today they are releasing their quarterly Acrobat update ahead of schedule because of another zero-day," Storms said.

Tuesday's Reader and Acrobat updates also included a patch released more than two weeks ago for Flash, Adobe's media player. Both Reader and Acrobat include code to run Flash embedded in PDF documents.

Of the 23 bugs Adobe patched, the most notable was the one revealed Sept. 7 by Mila Parkour, an independent security researcher who reported the attack after discovering rigged PDFs attached to e-mail messages.

The vulnerability and attacks received the label "David Leadbetter" after the renowned golf swing coach whose name was used in the subject line of many of those e-mails.

The Leadbetter exploit was called "scary," "clever" and "impressive" by various security researchers in September, in part because it bypassed important defensive measures that Microsoft has built into Windows, ASLR (address space layout randomization) and DEP (data execution prevention).

Most of the attacks using the Leadbetter exploit were "targeted" -- aimed at specific individuals or companies -- rather than used in massive campaigns.

The exploit also relied on a stolen digital certificate to sign some of its files, another hint at a greater-than-average level of sophistication. Chet Wisniewski, a senior security adviser at security software vendor Sophos, compared the exploit to the Stuxnet worm, which also used pilfered certificates.

Wisniewski also noted that the Leadbetter exploit's stolen certificate had signed one component of the malware in 2009, a clue that the attack code, or at least part of it, had been circulating since then.

Of the 23 vulnerabilities patched today, 20, or 87% of the total, were tagged with the phrase "could lead to code execution" by Adobe in its accompanying bulletin.

Unlike some vendors, such as Microsoft, Adobe does not assign threat ratings to bugs in its products, but "code execution" means that attackers could exploit the flaws to hijack the computer.



Our Commenting Policies