Adobe hits Reader users with 23-patch 'whammy'
Fixes flaw used by attackers for past month, starts talking about sandboxing protection tech
Computerworld - Adobe patched 23 security vulnerabilities in its Reader PDF viewer on Tuesday, most of them critical, including one that has been exploited by hackers for at least a month or possibly much longer.
Tuesday's patch job set a record for 2010, and came close to last year's biggest update, a 29-fix collection Adobe shipped in October 2009.
In September, Adobe promised to speed up the delivery of today's patches, which were originally meant to ship next week, because attackers were already leveraging a bug in Reader's and Acrobat's font parsing.
"Adobe is hitting customers with a double whammy today," Andrew Storms, director of security operations at nCircle Security, said via e-mail. "Adobe products continue to be at the top of the target list for malware writers."
"They patched a zero-day flaw in Flash in late September, and today they are releasing their quarterly Acrobat update ahead of schedule because of another zero-day," Storms said.
Tuesday's Reader and Acrobat updates also included a patch released more than two weeks ago for Flash, Adobe's media player. Both Reader and Acrobat include code to run Flash embedded in PDF documents.
Of the 23 bugs Adobe patched, the most notable was the one revealed Sept. 7 by Mila Parkour, an independent security researcher who reported the attack after discovering rigged PDFs attached to e-mail messages.
The vulnerability and attacks received the label "David Leadbetter" after the renowned golf swing coach whose name was used in the subject line of many of those e-mails.
The Leadbetter exploit was called "scary," "clever" and "impressive" by various security researchers in September, in part because it bypassed important defensive measures that Microsoft has built into Windows, ASLR (address space layout randomization) and DEP (data execution prevention).
Most of the attacks using the Leadbetter exploit were "targeted" -- aimed at specific individuals or companies -- rather than used in massive campaigns.
The exploit also relied on a stolen digital certificate to sign some of its files, another hint at a greater-than-average level of sophistication. Chet Wisniewski, a senior security adviser at security software vendor Sophos, compared the exploit to the Stuxnet worm, which also used pilfered certificates.
Wisniewski also noted that the Leadbetter exploit's stolen certificate had signed one component of the malware in 2009, a clue that the attack code, or at least part of it, had been circulating since then.
Of the 23 vulnerabilities patched today, 20, or 87% of the total, were tagged with the phrase "could lead to code execution" by Adobe in its accompanying bulletin.
Unlike some vendors, such as Microsoft, Adobe does not assign threat ratings to bugs in its products, but "code execution" means that attackers could exploit the flaws to hijack the computer.
- 2013 Cyber Risk Report The "Cyber risk report 2013 Executive summary" presents the major findings of HP Security Research's comprehensive dive into today's cyber vulnerability and threat...
- Why You Need a Next-Generation Firewall This white paper explores the reasons for implementing next-generation (NG) firewalls and lays out a path to success for overburdened IT organizations.
- Path Selection Infographic Path Selection Infographic
- Hyperconvergence Infographic A wide range of observers agree that data centers are now entering an era of "hyperconvergence" that will raise network traffic levels faster...
- Cloud Knowledge Vault Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources...
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users? All Malware and Vulnerabilities White Papers | Webcasts