Adobe hits Reader users with 23-patch 'whammy'
Fixes flaw used by attackers for past month, starts talking about sandboxing protection tech
Computerworld - Adobe patched 23 security vulnerabilities in its Reader PDF viewer on Tuesday, most of them critical, including one that has been exploited by hackers for at least a month or possibly much longer.
Tuesday's patch job set a record for 2010, and came close to last year's biggest update, a 29-fix collection Adobe shipped in October 2009.
In September, Adobe promised to speed up the delivery of today's patches, which were originally meant to ship next week, because attackers were already leveraging a bug in Reader's and Acrobat's font parsing.
"Adobe is hitting customers with a double whammy today," Andrew Storms, director of security operations at nCircle Security, said via e-mail. "Adobe products continue to be at the top of the target list for malware writers."
"They patched a zero-day flaw in Flash in late September, and today they are releasing their quarterly Acrobat update ahead of schedule because of another zero-day," Storms said.
Tuesday's Reader and Acrobat updates also included a patch released more than two weeks ago for Flash, Adobe's media player. Both Reader and Acrobat include code to run Flash embedded in PDF documents.
Of the 23 bugs Adobe patched, the most notable was the one revealed Sept. 7 by Mila Parkour, an independent security researcher who reported the attack after discovering rigged PDFs attached to e-mail messages.
The vulnerability and attacks received the label "David Leadbetter" after the renowned golf swing coach whose name was used in the subject line of many of those e-mails.
The Leadbetter exploit was called "scary," "clever" and "impressive" by various security researchers in September, in part because it bypassed important defensive measures that Microsoft has built into Windows, ASLR (address space layout randomization) and DEP (data execution prevention).
Most of the attacks using the Leadbetter exploit were "targeted" -- aimed at specific individuals or companies -- rather than used in massive campaigns.
The exploit also relied on a stolen digital certificate to sign some of its files, another hint at a greater-than-average level of sophistication. Chet Wisniewski, a senior security adviser at security software vendor Sophos, compared the exploit to the Stuxnet worm, which also used pilfered certificates.
Wisniewski also noted that the Leadbetter exploit's stolen certificate had signed one component of the malware in 2009, a clue that the attack code, or at least part of it, had been circulating since then.
Of the 23 vulnerabilities patched today, 20, or 87% of the total, were tagged with the phrase "could lead to code execution" by Adobe in its accompanying bulletin.
Unlike some vendors, such as Microsoft, Adobe does not assign threat ratings to bugs in its products, but "code execution" means that attackers could exploit the flaws to hijack the computer.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
Red Hat Enterprise Linux - The Original Cloud Operating System
Linux adoption is growing against a number of measures, such as the
number of supercomputers that run Linux and the size of the contributing...
- OpenStack Hype vs. Reality: CIO Quick Pulse Open-source architecture can enable IT departments to build infrastructure-as-a-service (IaaS) clouds running on standard hardware.
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Malware and Vulnerabilities White Papers | Webcasts