Security

If you're a criminal and you want to break into a network, a common attack method is to exploit a hole in software that exists on most computers, has its fair share of holes, and isn't automatically updated.

In 2002, that would have been Windows. Today, it's likely to be Adobe Reader or Flash Player, whose share of vulnerabilities and exploits are on the rise while Microsoft's is falling.

Nearly half of targeted attacks exploit holes in Acrobat Reader, which is used to read PDF (portable document format) files, according to F-Secure. Meanwhile, the number of PDF files used in dangerous Web drive-by attacks jumped from 128 during the first three and a half months of last year to more than 2,300 during that time this year, the company said.

In addition, there are more and more zero-day holes, vulnerabilities that are public before a patch is available. Like sitting ducks, users of affected software are left wide open to attack until a fix is available.

There have been zero-day exploits for the Flash Player plug-in, used for viewing rich media like videos and interactive charts on Web sites. And in one case this spring, a zero-day hole in Adobe Reader spurred security experts to recommend that users disable JavaScript.

One security researcher at Black Hat last week, who asked to remain anonymous, said: "As a result of the number of zero-day attacks on PDFs this year, large banks hate Adobe."

F-Secure said it identified about 1,967 targeted attack files in 2008, the most popular type being .doc used in Microsoft Word.

(Credit: F-Secure)

Those scary statistics prompted F-Secure researcher Mikko Hypponen, chief research officer at F-Secure, to urge Adobe Reader users to switch to an alternative PDF reader at the RSA show in April.

Adobe "has a lot to learn from, of all places, Microsoft," Hypponen said at the time. At the Black Hat and Defcon security shows last week, others concurred.

"Adobe is the next Microsoft," said Roel Schouwenberg, a senior antivirus researcher at Kaspersky. "They are slowly realizing that they have become a main vector of getting into a machine...We as an industry must push hard" to get Adobe to improve security.

An Adobe manager said the problem stems from the fact that it's software is so broadly used.

"It's only natural, given the fact that some of our products like Reader and Flash Player are some of the most widely distributed on Earth, that they would be targeted by attacks," Brad Arkin, director for product security and privacy at Adobe, said in an interview on Wednesday.

Microsoft has been in the same boat, and in many ways still is. The difference is in how the companies respond to the problem, experts said.

Microsoft: Been there, done that
In January 2002, Bill Gates launched the Trustworthy Computing initiative and said security would be a top priority for the company. Microsoft had to do something to combat the negative press and public opinion over its whack-a-mole strategy for countering the viruses and other security holes that plagued its software.

The company established a Security Development Lifecycle program, designed to build security into the software, that has become the standard others in the industry follow. It is roundly lauded for its efforts.

During the first three months of 2009, F-Secure discovered 663 targeted attack files, the most popular type being PDF. The change from the previous year is primarily due to the fact that there have been more vulnerabilities in Adobe Acrobat/Reader than in Microsoft Office, F-Secure said.

(Credit: F-Secure)

Now it's Adobe's turn to step up to the plate.

"Microsoft is a model for patch management...they were forced into it. They really turned around," Hypponen said in an interview last week at Black Hat. "Now, Flash and Reader are ubiquitous and it's harder and harder to target Microsoft, so the attackers are looking for easier targets."

In particular, Adobe's patching process isn't as robust as Microsoft's, he and others said.

In all fairness, Adobe is on the right path. Prompted by a zero-day hole in Reader, Adobe decided in May to start releasing patches on a quarterly basis, and to schedule the updates to coincide with Microsoft's Patch Tuesday releases.

At the time of the Adobe announcement, Arkin said the company was reviewing "everything from our security team's communications during an incident to our security update process to the code itself." He also promised that users would "see more timely communications regarding incidents, quicker turnaround times on patch releases, and simultaneous patches for more affected versions as we move forward."

The company was the first third-party vendor to release a fix for software affected by a vulnerability in Microsoft's Active Template Library, which is used to build components for Web applications and which was being exploited, according to Arkin.

"We scoured the entire Adobe portfolio and evaluated more than 200 products in the field today to determine which might be vulnerable," he said, adding that fixes for Shockwave Player and Flash Player shipped within weeks.

A zero-day exploit targeting Reader and Acrobat that Adobe learned about on April 27 was fixed about two weeks later, he said. And Adobe issued a patch last week for a critical Flash Player problem that was being exploited, allowing attackers to take over a computer via content viewed in a browser.

"We are quite happy with the performance on those," Arkin said of the time frame for the patches.

The company also has been turning an eye toward "digging into legacy code" and looking for additional ways to improve products overall he said. "Adobe integrates the best practices you see at Microsoft and other companies."

The security researcher who asked not to be named complained that at an architectural level, some Adobe applications have too much access to the operating system. "Why should something that operates on untrusted data have full access to your trusted data?" he asked, mentioning specifically Adobe Reader and its ability to access the hard drive to read and write files.

The program's functions require it to be able to save and open files on the file system and thus have read and write access to the hard drive, Arkin said. "Web browsers all have the ability to save to the file system," and the privileges between the two types of programs are similar, he added.

Security-versus-functionality trade-offs aside, changes in Adobe's products and processes will come in response to market pressures and not merely because it's the favorite target for attackers, said Bruce Schneier, chief technology officer of BT Counterpane.

"This is all very much a business decision, whether the company decides to take security seriously or not," he said, adding that he spent his day dealing with Adobe updates.

"I'd like to think that they would start realizing that they can use security as a selling point, but it took Linux to get Microsoft to do that. They felt they had competition," he said. "Is there a Linux waiting to affect Adobe?"

Not really, the experts agreed.

Dan Kaminsky, director of penetration testing at IOActive, praised Adobe for "reconfiguring itself" with regards to security issues and suggested critics should cut the company some slack.

"The PDF exploitation only recently blew up, and remember, it takes any software development house a while to really address problems," he said, adding that Flash 9 was much more secure than Flash 8.

"Does Adobe have products they need to lock down? Yes. Are they in the process of doing so? Yes. They did it for Flash and they'll do it for Reader," he said.

"There's always a 'most vulnerable' attack surface."

Updated 4:35 p.m. PDT with Adobe saying Windows, Mac and Unix versions of Reader are affected and more details.

Security experts are recommending that people disable JavaScript in Adobe Reader following reports of a vulnerability in the popular portable document format reader on Tuesday.

The vulnerability appears to be due to an error in the "getAnnots()" JavaScript function and exploiting it could allow someone to remotely execute code on the machine, according to an advisory from the US-CERT.

"US-CERT encourages users and administrators to disable JavaScript in Adobe Reader to help mitigate the risk," the post said. "To disable JavaScript in Adobe Reader, open the General Preferences dialog box. From the Edit-Preferences-JavaScript menu, uncheck 'Enable Acrobat JavaScript.'"

All currently supported shipping versions of Adobe Reader (8.1.4, 9.1 and 7.1.1 and earlier) are vulnerable and Windows, Macintosh and Unix platforms are affected, Adobe said in an advisory.

The company said it would release updates for all the platforms but did not yet have a time frame for that. "We are currently not aware of any reports of exploits in the wild for this issue," the advisory said.

At the RSA security conference last week, F-Secure Chief Research Officer Mikko Hypponen said Internet users should switch to using an alternative PDF reader because of the security issues with Adobe Reader. A list of them is available on the PDFReaders.org Web site.

Of the targeted attacks so far this year, more than 47 percent exploit holes in Acrobat Reader, while six vulnerabilities have been discovered that target the program, he said.

Just last month, Adobe issued a fix for an Acrobat Reader hole that attackers had been exploiting for months, after issuing a patch for a critical vulnerability in Flash player the month before.

(Credit: Adobe)

Adobe Systems on Tuesday issued a security update to fix a critical vulnerability in Adobe Reader 9 and Acrobat 9 that could allow an attacker to take complete control of a computer and for which exploits had been reportedly found in the wild for nearly two months.

Adobe alerted users about the vulnerability more than two weeks ago and promised to have a security update for it by March 11.

Basically, attackers can take advantage of a hole on unpatched systems to overwrite memory with a buffer overflow and install a backdoor through which to control the system remotely.

In its advisory, Adobe said it plans to provide security updates for Adobe Reader 7 and 8 and Acrobat 7 and 8 by March 18 and for Adobe Reader 9.1 for Unix by March 25.

Meanwhile, US-CERT said on Tuesday it is aware of public reports of two new attack vectors for the vulnerability involving the Windows Indexing Service that indexes PDF files and the Windows Explorer Shell Extension.

The vulnerability can be exploited with little or no user interaction if the Windows Indexing Service processes a malicious PDF file stored on the system or Windows Explorer displays a folder containing a malicious PDF file, the CERT advisory said.

Earlier in the day, Microsoft issued updates for a number of critical and important vulnerabilities in Windows as part of this month's Patch Tuesday.

One security expert complained that Adobe was late to acknowledge the vulnerability and uncommunicative about the issue since it arose.

"Having the patch early is a huge benefit, but releasing it on the same day as Microsoft's planned March patch spells disaster for enterprise resource planning, and it still leaves Adobe with a black eye for lack of communication," said Andrew Storms, director of security operations for nCircle, a network and compliance automation firm.

Adobe representatives did not immediately respond Tuesday to phone calls and e-mails seeking comment.

Update at 8:45 a.m. PST: Information from security firm Symantec added.

Attackers are making the rounds and exploiting a critical security flaw in Adobe Reader 9 and Acrobat 9.

Earlier versions of the PDF-related software are also affected by the critical security flaw, which could cause the applications to crash and potentially let an attacker gain control of a person's computer, Adobe Systems warned Thursday.

Reports also surfaced that attackers have developed an exploit and are taking advantage of the flaw, the company said.

Adobe has yet to develop an update to address the vulnerability but noted it expects to have one ready for Adobe Reader 9 and Acrobat 9 by March 11. After that, the company expects to launch updates for the earlier versions of the software going back to Adobe Reader 7 and Acrobat 7.

Until then, Adobe advises, people should update their virus definitions and exercise caution when opening documents from unknown sources.

Security company McAfee noted in a blog that the current attacks appear to be targeted ones but that it expects new variants of the exploit to make the rounds as more information becomes public.

In its posting, McAfee said that malicious PDF documents began to surface at the start of the year, exploiting a vulnerability in Adobe Reader versions 8 and 9. The attackers can then take advantage of a bug in Reader to overwrite memory at gain control of executing code. After that, attackers can install a Trojan horse and from there add a proverbial backdoor to a person's computer to remotely control and monitor the infected system.

Symantec, meanwhile, reports seeing the exploit used against only a few government agencies and large corporations, and within those organizations, only a few people are targeted, said Kevin Haley, a Symantec Security Response director.

"We've seen it used in only a few small places, so it tells us it's a targeted attack and someone is not trying to use it in a widespread way," Haley said, noting fewer than 100 people have been affected since it noticed the attacks on February 12.

But he added it seems likely other attackers may try to exploit the Adobe vulnerabilities and that the range of exploits may grow beyond the malware that Symantec calls Trojan.Pidief.E.

In its blog on Trojan.Pidief.E, Symantec advices users to consider disabling JavaScript in Adobe Reader and has provided instructions in a blog on a different issue.

(Credit: Adobe)

Updated 10:50 a.m. PT with Adobe releasing update and link.

A critical security hole in Adobe Reader could allow an attacker to take control of a computer, according to Core Security Technologies.

The vulnerability affects version 8.1.2 of Reader, Core Security said in a statement issued on Tuesday to coincide with Adobe's planned release of a security update to fix the vulnerability.

The security bulletin was posted early on Tuesday. "Adobe is not aware of any reports of these issues being exploited in the wild," the company wrote in a security blog posting.

An attacker could put malicious code in JavaScript embedded in a PDF and spread that via a Web site or e-mail, Core Security said. Once the file is opened, the code could manipulate the program's memory allocation pattern and trigger the vulnerability to execute arbitrary code with the privileges of the user.

Damian Frizza, a CoreLabs researcher, discovered the vulnerability in May while he was investigating a similar vulnerability in a different PDF viewer application called Foxit Reader. Core Security immediately reported the new hole to Adobe.

The complexity of desktop software increases the chances of applications having bugs that result from the implementation of the software, said Ivan Arce, chief technology officer of Core Security.

"We've seen similar vulnerabilities in JavaScript engines in Adobe software in the past and in other applications," he said. "It's difficult to avoid implementation bugs like this one."

The fact that both PDF Readers have the same bug indicates that even though vendors are building products with different technologies and code bases, they ought to check for such bugs in their applications when rival software is found to be vulnerable, Arce said.