Adobe warns of critical, unpatched security flaw

Update at 8:45 a.m. PST: Information from security firm Symantec added.

Attackers are making the rounds and exploiting a critical security flaw in Adobe Reader 9 and Acrobat 9.

Earlier versions of the PDF-related software are also affected by the critical security flaw, which could cause the applications to crash and potentially let an attacker gain control of a person's computer, Adobe Systems warned Thursday.

Reports also surfaced that attackers have developed an exploit and are taking advantage of the flaw, the company said.

Adobe has yet to develop an update to address the vulnerability but noted it expects to have one ready for Adobe Reader 9 and Acrobat 9 by March 11. After that, the company expects to launch updates for the earlier versions of the software going back to Adobe Reader 7 and Acrobat 7.

Until then, Adobe advises, people should update their virus definitions and exercise caution when opening documents from unknown sources.

Security company McAfee noted in a blog that the current attacks appear to be targeted ones but that it expects new variants of the exploit to make the rounds as more information becomes public.

In its posting, McAfee said that malicious PDF documents began to surface at the start of the year, exploiting a vulnerability in Adobe Reader versions 8 and 9. The attackers can then take advantage of a bug in Reader to overwrite memory at gain control of executing code. After that, attackers can install a Trojan horse and from there add a proverbial backdoor to a person's computer to remotely control and monitor the infected system.

Symantec, meanwhile, reports seeing the exploit used against only a few government agencies and large corporations, and within those organizations, only a few people are targeted, said Kevin Haley, a Symantec Security Response director.

"We've seen it used in only a few small places, so it tells us it's a targeted attack and someone is not trying to use it in a widespread way," Haley said, noting fewer than 100 people have been affected since it noticed the attacks on February 12.

But he added it seems likely other attackers may try to exploit the Adobe vulnerabilities and that the range of exploits may grow beyond the malware that Symantec calls Trojan.Pidief.E.

In its blog on Trojan.Pidief.E, Symantec advices users to consider disabling JavaScript in Adobe Reader and has provided instructions in a blog on a different issue.

[MichelleMcCormack]

I sent a form to be filled out to a client this week, that I created in Adobe 9. Should I tell them to delete it? :)

[BtmnHatesRbn]

Adobe 9 what? There isn't any Adobe program called Adobe. Did you mean Acrobat or Reader?

[c|net Reader]

You do not need to worry about PDF files you created. It is PDFs hosted on web sites that could be a problem for you and them. Even if you trust the web site, a hacker could have replaced their PDF with a modified version that exploits the vulnerability.

[c|net Reader]

Computerworld's article on this subject was far more informative. There you can read that this buffer overflow hack is only effective if JavaScript is enabled in Adobe Reader and Adobe Acrobat. If you disable JavaScript, until the patch is installed, then Reader and Acrobat will crash when you open a hacked PDF, but your system won't be vulnerable.

[Penguinisto]

Let me guess - you only need bother if it's running on top of Windows, right?

[BtmnHatesRbn]

Sounds like it. Hey folks, move over to Mac OS X, Ubuntu, FreeBSD, or hell, even Windows 3.1.

[jandler]

u guys wrong

[Penguinisto]

Well that was technically illustrating. Maybe you (not "u") can elucidate on why you (again, "you" not "u") think that we "guys wrong"?

[Dalkorian]

That was my first question as well. It mentions it's an Adobe flaw that causes a trojan to be installed - it sounds like it *could* affect any platform. Curious how few links there are to follow up - anyone know if other platforms are vulnerable?

[Vegaman_Dan]

It's probably a safe bet that it an exploit that would affect unpatched Windows systems. That's the most likely scenario.

It could be a platform independant one however since Adobe's products are on a wide range of products and do require admin rights to install on most- possibly becoming a vector in and of itself.

We just don't have enough information and Adobe won't be exactly eager to share.

[Dalkorian]

Well, I ran into this article - proving it's worse than "just another winblows exploit" ...

http://www.macworld.com/article/138943/2009/02/adobe_vulnerability.html?lsrc=rss_main

Yeah, it looks like even Mac's are vulnerable to this. It's an exploit of Adobe (Reader/Acrobat specifically) and affects ALL platforms. Of course the question still stands as to what is out there "in the wild" currently - is it smart enough to download the right trojan for the platform, or does the trojan itself work on all platforms or is this currently used to attack only one platform?

Mac users have options, Apple's Preview app handles pdf files pretty decently. I'm pretty sure there are Linux alternatives as well (there *IS* a Linux version of Acrobat or at least Reader, right?) Anyone know of a winblows alternative to Reader?

[jeffguevin]

Can we assume that this flaw exists when viewing PDF documents inside a browser? Should we disable browser plugins?

[Dalkorian]

No, apparently not. It's Acrobat/Reader itself having issues with specially mal-crafted pdf files. Disable scripts, or find an alternative pdf viewer.

Note Adobe will *eventually* fix this, so if you end up missing Reader after a few months you can check to see if they fixed this yet.

[jeffguevin]

At least one security site recommends turning off Javascript in Adobe Reader to thwart attacks.

http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090219

[Get_Bent]

There's nothing like a zero-day exploit to make your day. Two-and-a-half weeks to release a fix, and even longer for older versions of Adobe's software? Nice. How many machines will be compromised while we're waiting for the patch? It's no wonder I use a third-party PDF viewer like Foxit Reader instead of Adobe's program.

[BtmnHatesRbn]

You don't make any sense, as you had to go out your way to install that other applications for reading/viewing PDFs. So the point is moot that you used it because of security flaws. Also, what does the average person on a Windows computer doing that this exploit will affect or effect their computer use?

[Get_Bent]

BHR> You don't make any sense, as you had to go out your way to install that other applications for reading/viewing PDFs.

You have to go "out of your way" to install Adobe Reader, too. What's your point?

BHR> So the point is moot that you used it because of security flaws.

Foxit Reader doesn't use Adobe's code, so it doesn't contain this security flaw. And my question still stands: How many computers will be compromised in the time that it takes Adobe to release the patches for versions 9, 8, and 7?

BHR> Also, what does the average person on a Windows computer doing that this exploit will affect or effect their computer use?

I can think of a couple:

- They click on a link with an embedded PDF.
- They receive an e-mail with an attached PDF and open it.

Most people don't think of PDFs as being potentially dangerous.

[EvilUrgency]

Very useful information and I thank the author, however the message is diluted by the errors left uncorrected for lack of a simple proof read. Thus I am left to wonder about the credibility of the author and the information contained in the article. If rereading the article to check for errors is too much to ask from the author why should I bother to read it at all? CNET should demand higher standards from its authors before allowing them to publish in its name.

[8301]

Your first sentence is a run-on, and "proofread" is one word. Thus, I am left to wonder about your credibility as a CNET commenter and the information contained in your comment. Of course, as a CNET commenter, your credibility is already negligible, and your comment contained no useful information, so I don't suppose I have to wonder very long.

[A_Wave]

You must be the evil grammarian about whom our mothers warned us.

Re-reading should be hyphenated.

[mjconver]

@EvilUrgency -

I always question the credibility of anyone who posts under an alias. It shows cowardice.

Jay Converse

[BtmnHatesRbn]

I use Preview on a Mac to see/read PDF files, so I guess this doesn't apply to me at all.

[DarthSpudro]

@EvileUrgency -

"Proofread" is one word.

[Penguinisto]

Well, there are always solutions:

xpdf, Foxit, OpenOffice, Preview on OSX...

...oh, wait - heh. :)

[8301]

Could you at least put a cap on the number of comments you post on one article? It's very disconcerting to avoid reading your self-important drivel once, only to encounter it again later on the same page.

[jandler]

I prefer this one
Quite funny actually
http://digitaldaily.allthingsd.com/20090220/heres-a-patch-for-you-adobe-acrobatuninstallexe/

[Penguinisto]

@ 8301:

I love you too... now put the sockpuppet away.

[Vegaman_Dan]

Penguinisto's reputation is a well earned one. He's at least fairly consistent. It really throws peopple off when he does something unexpected like post something that was well thought out, legitimate, or adds to the subject at hand.

Thankfully he was true to form here. :)

[DECKitBRUISEit]

Time for the smug mac-user smile of the day :)

[Vegaman_Dan]

However nobody knows what plaforms this Adobe flaw affects- it may affect all the platforms that Adobe produces for. Adobe isn't saying at this time.

A bit too early to have the smug look yet.

[Dalkorian]

Maybe not Deck ...

http://www.macworld.com/article/138943/2009/02/adobe_vulnerability.html?lsrc=rss_main

It's an Adobe exploit, not a platform one. ALL platforms are vulnerable. So you can put that smug look away - unless you use Preview to view pdf files.

;-)

[beckychr007]

BtmnHatesRbn,

Thanks for clarifying something that no one was confused about.

[darthstupid]

Unfortunately this is a cross platform security flaw. Meaning Mac users and Windows users are vulnerable.

Simplest solution for now is to turn off Javascript in Acrobat 7 through 9 by going to "Preferences" look for the "Javascript" pane and then turn off "Enable Acrobat Javascript". When the flaw is patched undo that and you are golden (until the next flaw is found). Otherwise just leave it off and you won't miss much (other than some automated form filling which you probably don't use anyway).

[drkgeek]

I actually got a virus from adobe a few days ago, I followed it and killed it with Malwarebytes.

[Sum--Guy]

Ok, explain this.

Is this fundamentally a flaw in the Sun Java JRE? Meaning that a JRE update will (or could) block this exploit, regardless of what Adobe does? Also meaning that other apps could be exposed to this vulnerability?

Regarding turning off javascript "within" Acrobat - does this mean I can generally have javascript turned on (for other apps) but specifically turn it off for Acrobat?

Also - is Acrobat 6.x affected by this threat? (And don't say that Acrobat 6 is no longer supported, because that doesn't answer the question even if it is true).

[redhotzz]

I needed Adobe Acrobat Reader and downloaded it last night. Within a few hours my free version of AVG threw up a window saying a threat was being stopped. I was gone all morning today and came home to a huge screen that said: C:\System volume Information\_restore{D534...Trojan Horse Generic 12.AQBH. NONE of the buttons on AVG do anything It. I came here to Cnet to check what might be going on and here is the Adobe Acrobat Reader blog. I 've uninstalled Adobe. AVG now wants $34.99 to use version8. Anyone else experience this? thanks ahead!