New Adobe Reader, Acrobat Vulnerability Under Attack

[javajolt]

Adobe Systems is dealing with a new security vulnerability affecting the latest versions of Adobe Reader and Acrobat as the company continues work on a fix for another zero-day bug exposed earlier this month.

Attackers are exploiting a new vulnerability affecting Adobe Systems’ Reader and Acrobat software in what are reportedly targeted attacks.

According to Adobe’s Product Security Incident Response Team blog, the vulnerability impacts Adobe Reader and Acrobat 9.2, and is being exploited in the wild.

"We are currently investigating this issue and assessing the risk to our customers,” the company’s security team said in a blog post.

Adobe began hearing reports of the attack Monday afternoon, but it has been in the wild for nearly a week. The malicious Adobe Acrobat PDF file arrives as an e-mail attachment, and executes when opened. According to Symantec, which detects the malware as Trojan.Pidief.H, the rate of infection at the moment is low.

However researchers with the Shadowserver Foundation, a volunteer security watchdog group, said that could change in the near future.

“We can tell you that this exploit is in the wild and is actively being used by attackers and has been in the wild since at least December 11, 2009 ,” according to the Shadowserver blog. “However, the number of attacks (is) limited and most likely targeted in nature. Expect the exploit to become more wide spread in the next few weeks and unfortunately potentially become fully public within the same timeframe.”

Both Shadowserver and the SANS Institute propose that users disable JavaScript as a defense if they are concerned about the vulnerability.

In addition to the latest bug, Adobe still has another zero-day to clear off its plate as well. Earlier this year, proof-of-concept exploit code began circulating the Web for a vulnerability in Adobe Illustrator CS4 and CS3 that can be exploited to execute code via a malicious Encapsulated PostScript (.eps) file in Illustrator. Adobe has said it plans to fix the issue in Illustrator by Jan. 8.

[javajolt]

Public exploit code just 'day or two' away, says Metasploit's HD Moore

Users should disable JavaScript in Adobe's Reader and Acrobat tools to protect themselves until a patch for a just-disclosed vulnerability is available, security experts said today.

The advice is timely, as noted bug researcher and exploit maker HD Moore confirmed that an exploit would be published to the open-source Metasploit penetration testing framework within a day or two.

Shadowserver, a volunteer-run group that tracks vulnerabilities, was the first to urge users to switch off JavaScript. "We have said it before and we will say it again: Disable JavaScript," the group said in a Monday post to its blog.

Although Shadowserver purposefully kept much of what it knew to itself, the group confirmed that JavaScript was involved. "We can tell you that this vulnerability is actually in a JavaScript function within Adobe Acrobat [and] Reader," Shadowserver claimed. "Furthermore, the vulnerable JavaScript is obfuscated inside a 'zlib' stream making universal detection and intrusion detection signatures much more difficult."

Moore, the creator of Metasploit and chief security officer for security company Rapid7, echoed Shadowserver's advice. "Disabling JavaScript does prevent the vulnerable code from being called," Moore said in an e-mail to Computerworld Tuesday.

To disable JavaScript in Adobe Reader or Acrobat on Windows, users must select Preferences from the Edit menu, choose "JavaScript," then uncheck the "Enable Acrobat JavaScript" option. (On the Mac, Preferences is under the "Adobe Reader" or "Adobe Acrobat" menus.)

Turning off JavaScript may be the only defense against attack until Adobe patches the problem. And it may be nearly a month before that happens: Adobe's next regularly-scheduled security updates for Reader/Acrobat are to ship Jan. 12, 2010.

But if Moore's preliminary work is any indication, attack code will go public long before then. "It is a little tricky to make reliable, but we are on track and should have a Metasploit update ready within a day or two at the latest," Moore said, referring to the probable release of an exploit module for the testing framework. Moore obtained a sample of the malicious PDF document being used to exploit the bug only this morning.

Moore also defended Metasploit's practice of providing working exploit code to anyone, including hackers. "Since the bug is 1) public and 2) widely exploited, we feel that adding an exploit module is the right thing to do, as it provides a safe way for folks to verify that their mitigation efforts actually work," said Moore.

Adobe will release its own in-lieu-of-patch recommendations later today, said Brad Arkin, Adobe's director for product security and privacy, in a direct tweet to Computerworld. "Full advisory coming later today with mitigation details," Arkin said around 3 p.m. Eastern. "Team is pulling that info together now."

Earlier today, Arkin told IDG News Service reporter Bob McMillan that the exploit targeted Windows users only. "It may trigger a crash on other platforms, but not an exploit," Arkin said in a direct tweet to McMillan.

Adobe Reader and Acrobat run on Windows, Mac OS X and Linux.

[javajolt]

Reports that a zero-day vulnerability in Adobe Acrobat and Adobe Reader is being exploited in the wild have been confirmed by Adobe in a blog post. Adobe is exploring the issue to determine how to patch it, but you're on your own in the meantime.

The popular PDF document format has made the Adobe Reader software virtually ubiquitous. Few software products are installed so pervasively that they exist on nearly every system regardless of operating system. For malware developers, targeting flaws in Adobe Reader offers an exceptionally large potential for victims.

The issue reportedly impacts Adobe Reader, and Adobe Acrobat--versions 9.2 and earlier. The good news is that attacks thus far are narrowly-focused, targeted attacks rather than widespread efforts.

Ben Greenbaum, senior research manager for Symantec Security Response, explains "The e-mails Symantec has seen thus far use fairly standard social engineering to try and lure users to open up a malicious PDF file, which Symantec detects as Trojan.Pidief.H. Symantec has an antivirus detection signature for this threat."

The Trojan horse exploits a flaw in the Adobe software to allow it to install additional malware components and further compromise the vulnerable computer. The additional malware could potentially be anything, but Symantec reports that the most prevalent malware associated with this threat right now is some type of information-stealing software.

The Shadowserver Foundation, a security watchdog organization, wrote in a blog post "We can tell you that this exploit is in the wild and is actively being used by attackers and has been in the wild since at least December 11, 2009. However, the number of attacks are limited and most likely targeted in nature. Expect the exploit to become more wide spread in the next few weeks and unfortunately potentially become fully public within the same timeframe."

The actual exploit relies on JavaScript. The Shadowserver Foundation and SANS Institute both recommend that you simply disable the execution of JavaScript within the Adobe software. In your Adobe product, go to Edit--Preferences--JavaScript, and uncheck the box next to Enable Adobe JavaScript.

Whether or not you choose to disable JavaScript in Adobe products, you should always exercise some caution and common sense before opening any email attachments. Symantec's Greenbaum points out "In general, users should be very wary of any e-mails they receive from an unknown sender that they aren't expecting. They should never open any attachments from any such e-mail, either."

Greenbaum adds "Many times, these e-mails will try to pressure users into opening the attachment or use scare tactics. If a user gets an e-mail from an unknown sender that tries to pressure them into opening an attachment, it is very likely that the attachment is malware and the e-mail should be deleted immediately."