Security

Adobe Alert: Updates available for latest zero-day exploit

Adobe finally released patches for several versions of Adobe Acrobat and Reader. Learn about the vulnerability and how to prevent the zero-day exploit.

In February of 2009, zero-day exploits targeting versions of Adobe Reader and Acrobat were found by security researchers. Symantec was one of the involved companies and offers a good explanation of the exploit:

"Symantec Security Response has received several PDF files that actively exploit vulnerabilities in Adobe Reader. While examining the JavaScript code used for "heap-spraying" in these PDFs, we can see the same comments that show that these separate exploit attempts come from the same source!

It seems likely that the people behind this threat are using targeted attacks against high-ranking people within different organizations, for example, locating the CEO's email address on the company website and sending a malicious PDF in the hope that their malicious payload will run. Once the machine is compromised, the attackers may gain access to sensitive corporate documents that could be costly for companies breached by this threat."

Being zero day there initially wasn't a fix for the vulnerability, so security researchers recommended disabling JavaScript in all working Web browsers.

Adobe agrees

Adobe acknowledged the problem in a 19 February 2009 security bulletin:

"A critical vulnerability has been identified in Adobe Reader 9 and Acrobat 9 and earlier versions. This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system. There are reports that this issue is being exploited."

How the exploit works

As to how the malware exploits the vulnerability, Symantec goes on to explain:

"The vulnerability is caused by an error in parsing particular structures within the PDF format. Once the malicious document is opened it will trigger the vulnerability. The JavaScript payload then sprays the heap with the malicious shellcode in an attempt to increase the chances of a successful exploit. If the exploit is successful, a malicious binary will be dropped and executed on the victim's system."

The malicious binary of choice is Backdoor.Trojan, a back door that's part of GHoST, a malware toolkit originally from China. Backdoor.Trojan has been around for several years and is used to view the desktop, record keystrokes, and allow remote access of the infected machine.

Adobe releases fix

Back in February, Adobe warned that it would take until 10 March 2009 to get patches ready for version nine of Adobe Reader and Acrobat and until 18 March 2009 to prepare patches for the remaining versions. They weren't lying as those were the exact dates the fixes came out.

Security researchers and Adobe recommend upgrading to Reader 9.1 (latest version of Reader) if at all possible, since it's free. As for Acrobat, it's definitely not free, so I'd recommend running the Acrobat update process. It's located under the Help pull down.

I'd double check even if the update process is set to automatic. If it's not set to automatic, it might be a good idea to configure it that way for future updates. Those changes can be made by first clicking on the Preferences button shown in the following slide:

A new window opens with all available setting options. The next slide shows what I use for my settings:

Final thoughts

To avoid yet another JavaScript vulnerability, please update your Adobe products. Those who dislike Adobe products also need to be cautious. There seems to be some confusion as to whether other PDF readers are vulnerable to this exploit. Knowing that, it would be a good idea to see if any updates are available for alternate PDF applications. Finally, I'd recommend the use of NoScript by everyone.

TechRepublic's IT Security e-mail newsletter (delivered every Tuesday) is a great way to keep on top of security issues related to Information Technology. Please make sure to sign up.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

28 comments
Jaqui
Jaqui

There is no need for Reader on GNU-Linux systems, with multiple F.L.O.S.S. apps that handle pdfs without the javascript issue.. no support for scripts in pdfs. :D and Acrobat, well it don't run on GNU-Linux, so Adobe no get any money from me. :p edit to add: and this also is a perfect example of why A.J.A.X. and most web 2.0 / rich media websites are a bad thing. You are running EXECUTABLE code from a source OUTSIDE your control. Javascript should NEVER be enabled, nor required.

scarville
scarville

AJAX and the so-called Web 2.0 is making the cracker's life easier. If you run noscript, take a look sometime at the number of different domains that want to run javascript on your desktop. The Techrepublic page I'm on right now has five third party hosts and it's not the worst I've seen. Unfortunately all the web programmers I've worked with in the past few years don't seem to be able to write even the simplest web page without javascript. In fact many websites will not work without importing third party code.

Michael Kassner
Michael Kassner

So if scripts aren't used what other options are available.

cmatthews
cmatthews

This is getting further off the theme, but couldn't popular 3rd party scripts be reviewed, authenticated, and then hosted on edge-content services like Akamai? We'd all benifit, not only in speed, but also in stats, first usage disputes, easier white-listing etc.. Sounds like a win-win, no? I run lots of SmoothWall-3's at auto dealers and weekly I see URL-filter logs of Web 2.0 sites that don't work.. I often white-list before they call me to say: "your security solution's not working"

Michael Kassner
Michael Kassner

That doesn't require JavaScript. I've not heard much on it though. Jaqui, if you hear anything, please let me know.

Jaqui
Jaqui

try using TR without javascript Micheal. any ACTIVE clientside script is a critical security risk, yet web 2.0 sites require it, like TR. not just in documents, websites themselves could deliver the exact same payload via javascript. or flash or activex when only the video content of flash cannot be duplicated without any active clientside script, there is no excuse for using javascript or activex on a website, other than intention to infest systems with malware.

Michael Kassner
Michael Kassner

About the different exploits that don't use JavaScript. That's why I can't come to the same conclusion as you that other readers are immune to this.

Jaqui
Jaqui

I wasn't sure myself until I went to the project page. it seemed likely though so I wasn't to surprised at finding a windows build.

Jaqui
Jaqui

xpdf is immune since they don't include java applet support by default. no scripts in pdfs with it unless you build it in yourself.

seanferd
seanferd

Haven't run into that one. Will definitely try it on my Windows machine.

Michael Kassner
Michael Kassner

Version and most other popular ones. I only reported on the ones that have acknowledged that they either are immune or have fixed the bug.

Michael Kassner
Michael Kassner

I just wanted to alert people that disabling JavaScript is not sufficient any more. Many users have JavaScript disabled already and may not feel they need to update their Adobe apps.

Jaqui
Jaqui

needs some sort of execution environment on the system it's attacking, naturally. javascript, activex and flash actionscript being the most commonly found exploitable environments. hmm... actionscript, Adobe's [ well, Macromedia originally ] javascript variant for flash. activex, MS's proprietary java implementation. all 3 have both execution rights and the ability to write to the hard drive. all 3 are remotely hosted executables. and the only functionality that cannot be duplicated without those 2 risks is the video content of flash.

cmatthews
cmatthews

I've used Foxit for about 18 months now. I'm amazed how Acrobat is now about the same installed size as Microsoft Office.. little wonder it needs a pre-loader? Docu-track dot com has a free PDF-XChange viewer free for both home and biz use. (It allows form fill and annotation) Has anyone used PDF-XChange viewer yet? Any comments?

seanferd
seanferd

I did also grab an updated ver 2.3, although I don't know if it will be an improvement - I've been thinking of downgrading, as the newer Foxit is getting a bit naggy.

santeewelding
santeewelding

I have only so many fingers, and you run about pointing to so many holes in the dike. Maybe what Vitruvius had to say about not building and living in low places would be appropriate.

Michael Kassner
Michael Kassner

To fix, then you have extra fingers for the ones that don't have a solution yet. I also hope you are well and enjoying the amazing change of seasons.

Michael Kassner
Michael Kassner

I've just read that disabling JavaScript is no longer a reliable fix. Apparently there are exploits that don't require it.

Michael Kassner
Michael Kassner

If so, make sure to update them immediately. Wondering why, please read my latest article about a new zero-day exploit: http://blogs.techrepublic.com.com/security/?p=1149

seanferd
seanferd

It took a while, but they delivered when promised. I do believe, though, that "Acrobat Antics Here To Stay". Actually, I think they came to stay long ago. Definitely a great post for the average Adobe user to read.

Michael Kassner
Michael Kassner

Cut Adobe a bit of slack. As invasive as Acrobat is, I bet they had to be really careful about breaking anything.

Michael Kassner
Michael Kassner

As to what the details were. I just sense that it has tentacles all throughout the OS and office app.

seanferd
seanferd

And they were on time, as promised. I do think they need to move a bit faster if they are going to support multiple versions, though. (They do push updates and suggest upgrading to higher versions, to their credit.) I assume that it was just such a low-level flaw that they needed to do a lot of re-coding.

Editor's Picks