With all the Internet attacks that exploit Adobe Acrobat Reader people should switch to using an alternative PDF reader, a security expert said at the RSA security conference on Tuesday.
Of the targeted attacks so far this year, more than 47 percent of them exploit holes in Acrobat Reader while six vulnerabilities have been discovered that target the program, Mikko Hypponen, chief research officer of security firm F-Secure, said in a briefing with journalists.
Just last month, Adobe issued a fix for an Acrobat Reader hole that attackers had been exploiting for months, after issuing a patch for a critical vulnerability in Flash player the month before.
In 2008, the favored targeted attack vector was Microsoft Word, which had 15 known vulnerabilities (compared to Acrobat Reader's 19) and which represented 34.5 percent of the attacks (compared to 28.6 percent for Acrobat Reader), he said.
Top-level executives, defense contractors, and other people who have access to specific sensitive corporate or government information are subject to targeted attacks where an attacker sends a file that has malicious code embedded in it. Once the file is opened, the computer is infected typically with a back door that then steals data.
PDF and Flash browser plug-ins are also used in attacks known as "drive-by downloads" in which malware is surreptitiously downloaded onto a computer while the user is surfing the Web. The number of PDF files used in attacks rose from 128 between January 1 and April 16 last year to more than 2,300 in that same time period during this year, said Hypponen.
Adobe should make security a priority, he said.
Adobe "has a lot to learn from, of all places, Microsoft," which offers regular security patches on a monthly basis as part of Patch Tuesday, Hypponen said.
Part of the problem is people don't expect that Acrobat Reader upgrades necessarily contain important security patches like they do with Microsoft software, he said.
Hypponen did not recommend a PDF reader, but said Acrobat Reader alternatives are listed on the PDFReaders.org Web site.
Update at 8:45 a.m. PST: Information from security firm Symantec added.
Attackers are making the rounds and exploiting a critical security flaw in Adobe Reader 9 and Acrobat 9.
Earlier versions of the PDF-related software are also affected by the critical security flaw, which could cause the applications to crash and potentially let an attacker gain control of a person's computer, Adobe Systems warned Thursday.
Reports also surfaced that attackers have developed an exploit and are taking advantage of the flaw, the company said.
Adobe has yet to develop an update to address the vulnerability but noted it expects to have one ready for Adobe Reader 9 and Acrobat 9 by March 11. After that, the company expects to launch updates for the earlier versions of the software going back to Adobe Reader 7 and Acrobat 7.
Until then, Adobe advises, people should update their virus definitions and exercise caution when opening documents from unknown sources.
Security company McAfee noted in a blog that the current attacks appear to be targeted ones but that it expects new variants of the exploit to make the rounds as more information becomes public.
In its posting, McAfee said that malicious PDF documents began to surface at the start of the year, exploiting a vulnerability in Adobe Reader versions 8 and 9. The attackers can then take advantage of a bug in Reader to overwrite memory at gain control of executing code. After that, attackers can install a Trojan horse and from there add a proverbial backdoor to a person's computer to remotely control and monitor the infected system.
Symantec, meanwhile, reports seeing the exploit used against only a few government agencies and large corporations, and within those organizations, only a few people are targeted, said Kevin Haley, a Symantec Security Response director.
"We've seen it used in only a few small places, so it tells us it's a targeted attack and someone is not trying to use it in a widespread way," Haley said, noting fewer than 100 people have been affected since it noticed the attacks on February 12.
But he added it seems likely other attackers may try to exploit the Adobe vulnerabilities and that the range of exploits may grow beyond the malware that Symantec calls Trojan.Pidief.E.
In its blog on Trojan.Pidief.E, Symantec advices users to consider disabling JavaScript in Adobe Reader and has provided instructions in a blog on a different issue.
Updated September 12 at 11:12 a.m. with comment from Adobe.
Certain URLs can cause Adobe Acrobat 9 to suffer a denial of service or crash, says a researcher.
According to an alert from the SecuriTeam mailing list, "a vulnerability in Adobe Acrobat 9 allow attackers to cause the program to crash by providing it with a malformed URL."
The alert cites a blog by researcher Jeremy Brown, who provides working exploit code. In one example, Brown uses the string "acroie:///DoS" to cause a DoS in Adobe Acrobat 9 running on Windows Vista.
A spokesperson for Adobe said Thursday night, "We are aware of and investigating this. Our initial findings are consistent with those reported by the researcher that this is a denial-of-service issue."
- prev
- 1
- next
