In February of 2009, zero-day exploits targeting versions of Adobe Reader and Acrobat were found by security researchers. Symantec was one of the involved companies and offers a good explanation of the exploit:
It seems likely that the people behind this threat are using targeted attacks against high-ranking people within different organizations, for example, locating the CEO’s email address on the company website and sending a malicious PDF in the hope that their malicious payload will run. Once the machine is compromised, the attackers may gain access to sensitive corporate documents that could be costly for companies breached by this threat.”
Adobe acknowledged the problem in a 19 February 2009 security bulletin:
“A critical vulnerability has been identified in Adobe Reader 9 and Acrobat 9 and earlier versions. This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system. There are reports that this issue is being exploited.”
How the exploit works
As to how the malware exploits the vulnerability, Symantec goes on to explain:
The malicious binary of choice is Backdoor.Trojan, a back door that’s part of GHoST, a malware toolkit originally from China. Backdoor.Trojan has been around for several years and is used to view the desktop, record keystrokes, and allow remote access of the infected machine.
Adobe releases fix
Back in February, Adobe warned that it would take until 10 March 2009 to get patches ready for version nine of Adobe Reader and Acrobat and until 18 March 2009 to prepare patches for the remaining versions. They weren’t lying as those were the exact dates the fixes came out.
Security researchers and Adobe recommend upgrading to Reader 9.1 (latest version of Reader) if at all possible, since it’s free. As for Acrobat, it’s definitely not free, so I’d recommend running the Acrobat update process. It’s located under the Help pull down.
I’d double check even if the update process is set to automatic. If it’s not set to automatic, it might be a good idea to configure it that way for future updates. Those changes can be made by first clicking on the Preferences button shown in the following slide:
A new window opens with all available setting options. The next slide shows what I use for my settings:
TechRepublic’s IT Security e-mail newsletter (delivered every Tuesday) is a great way to keep on top of security issues related to Information Technology. Please make sure to sign up.