Network News

X My Profile
View More Activity

Hackers Exploit Adobe Reader Flaw

Security Fix has learned that at least one of the security holes in the popular Adobe Reader application that was quietly patched by Adobe this week is actively being exploited to break into Microsoft Windows computers.

On Wednesday, we alerted readers that Adobe had pushed out a patch to plug unspecified security holes in its ubiquitous and free Acrobat Reader program. According to information released Friday by iDefense, a unit of Verisign, Web site administrators on an online Italian forum first spotted hackers taking advantage of the flaw on Jan. 20, 2008, when tainted banner ads were identified that served specially crafted Acrobat PDF files designed to exploit the hole and install malicious software.

iDefense says that on Friday it saw the same banner ad tactic being used in the wild to install a Trojan horse program. That Trojan, dubbed "Zonebac," disables various anti-virus products and modifies the victim's search engine results. As of late Friday evening, the company claims that not a single commercial anti-virus product detects this thing as malicious.

While having some unwelcome program monkey with your search results may not sound like the worst thing to have happen to your PC, cyber criminals may find more nefarious purposes for this vulnerability.

It's an interesting target for criminals because Adobe Reader has a truly enormous install base, yet it is one of those applications that so few people even think to update regularly. According to Adobe, more than 500 million copies of Adobe Reader have been distributed worldwide on 23 platforms and in 26 languages. The product also is distributed by the top 10 PC manufacturers.

Adobe released an updated security advisory for this patch late Thursday, but it didn't contain many more details than the original advisory, other than to credit iDefense and several other security vendors for reporting vulnerabilities. iDefense said an internal researcher discovered the flaw, and that the company alerted Adobe back on Oct. 11, 2007. A spokesperson for Fortinet, also credited in the latest advisory, said researchers alerted Adobe to their findings on Nov. 1, 2007.

Steve Gottwals, senior product management for Adobe Reader, declined to say how many vulnerabilities this 8.1.2 patch fixed, but confirmed reports that the attackers were already exploiting the flaw.

"We have received the same reports through our security partners," Gottwals said. "I think you can expect a greater level of detail to be forthcoming when we know that many people are adequately covered" by the latest update, he said.

If you haven't applied the latest patch for Adobe Reader -- which brings the program up to version 8.1.2 -- don't delay. Patch now.

By Brian Krebs  |  February 9, 2008; 8:55 AM ET
Categories:  Fraud , Latest Warnings , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Mozilla, Skype Issue Updates
Next: Apple Releases Tiger, Leopard Security Updates


Thanks, Brian.
Again, not only useful information, but aalso well written.
I want to mention that Adobe's instructions for Firefox users are incorrect.
They tell you to "look for the yellow bar at the top" with a box showing "Edit options".
Well, there's no such thing on my browser, the latest version.
The correct sequence is :
At the top click on the Exceptions button and add Adobe to the allowed sites.

BTW, two requests to Brian and the readers here :
1) Can someone recommend a free pdf to doc converter which works ? I tried a few and they all produced garbage for output.
2) What was the free pdf reader recommended in this paper (please save me search time
:-) ?

And last, I have my opinions (not fit for print) on the widespread use and acceptance of the pdf format.

Posted by: csavargo | February 9, 2008 9:49 AM | Report abuse

On Windows (at work), I use Foxit reader.
It's smaller and faster loading than Adobe.

Posted by: Tom G | February 9, 2008 12:54 PM | Report abuse

@Csvargo -- not sure about a decent pdf converter, but Foxit's free reader was the alternative to Adobe that I suggested in this column on Wednesday:

Posted by: Bk | February 9, 2008 1:00 PM | Report abuse

As for a free pdf converter, try CutePDF.

Posted by: Mike D | February 9, 2008 2:07 PM | Report abuse

"security hole in Adobe Reader ... actively being exploited to break into Microsoft Windows computers"

So, why is this important?
Who still uses Windows?

Posted by: Dave Barnes | February 9, 2008 4:36 PM | Report abuse

I received the patch automatically.

Posted by: Michael1945 | February 9, 2008 5:17 PM | Report abuse

A couple of days ago, Adobe did its typical "break-in" to my computer to install--without permission--its newest update. For some reason, it apparently de-installed the old version first and then failed to install the new version.

Result: I suddenly had no pdf reader at all. All pdf file icons went generic and I was unable to open any.

Then I did something I had intended to do for quite some time but never got around to it: downloaded and installed the Foxit reader. Lightning fast on both processes and it works great!

I cannot thank Adobe enough for its reader's latest installation failure.

Posted by: Mark Higdon | February 9, 2008 9:21 PM | Report abuse

Great - Lets all use Foxit or CutePDF or some other generic rip-off that has no security patch system in place at all, much less testing (thus more bugs) ... what a great idea ...

Posted by: LOL | February 10, 2008 5:32 AM | Report abuse

There is a delay in the distribution of updates, due to the translation into various languages. Although latest version is available in English, the other languages are still lying behind, leaving space for damage. Adobe should release jointly with all translations.

Posted by: Luca | February 10, 2008 6:19 AM | Report abuse

There is a delay in the distribution of updates, due to the translation into various languages. Although the latest version is available in English, the other languages lie behind, leaving space for damage. Adobe should release jointly with all translations.

Posted by: Luca dellaPenna | February 10, 2008 6:21 AM | Report abuse

My computer at work accesses the outside world via a proxy. Maybe I'm being stupid but I have not worked out how to enter the proxy's details into the reader so that Auto-Update works.

Well, now I know to download the new version directly.

Posted by: Andrew | February 10, 2008 10:03 AM | Report abuse

Still using Win98, latest version 6.0.1.

Bad news or not ? Adobe mentions only versions 7 and 8.

Which is not unlike much of the software world, there are no notes on older versions.

Posted by: old guy | February 10, 2008 1:00 PM | Report abuse

I have never used the auto-update feature for any software. I want to be the one to determine what I want and what I don't want. Adobe notified me that it was available and I looked before downloading and installing.

Mark Higdon should have never turned his auto-update for Adobe to download and install. Also, LOL is correct about downloading some of these open source programs. We have no way of knowing what, if any, security comes with the software.

Posted by: Michael1945 | February 10, 2008 1:18 PM | Report abuse

Thanks for the responses.
I will download Foxit (right now I am struggling with a dying modem and will be happy to be able to send this off).
Mike D, from what I can see CutePDF translates from doc to pdf. I need it the other way around.

Posted by: csavargo | February 10, 2008 3:28 PM | Report abuse

Seems to me there was an (open) backdoor through another similiar product past and present, power something ?

Writing to see if anyone else has had a problem upgrading to Vista Home Premium from Xp through the web purchased download ?

It could very well be me or my machines. Back in the day when we availed ourselves as customers and test pilots for Win95 and applications alot of troubleshooting was done by consumers after a major release.

After spending several hours with customer service reps, technicians and managers streching across the world from Phillipines to India to Seattle, I still can't get the program to load.

I don't care if I do a forced install while waiting for 2-4 weeks to recieve a cd in the mail. First mainframe I crashed was in 1878 and purely by accident, I can assure you. So if anyone can enlighten me as to why I can't progress in this here 21st century I would be grateful.

Thanks in advance.

Posted by: Mark W. | February 11, 2008 3:51 AM | Report abuse

Once again, it's another classic example of being at the mercy of a vendor. While it's rather easy for home users to use FOSS or other 3rd party alternatives to Reader, in the corporate world Reader and Acrobat Professional are well-entrenched.

Convincing superiors to blow vast sums of money on Acrobat upgrades just for the security patch borders on insanity...

While the fix is quite simple, at the same time, however, I must wonder which marketing suit thought that it was a bright idea to enable Javascripting in PDFs to begin with.

Posted by: JP | February 11, 2008 12:32 PM | Report abuse

@Tom G:
Other vendors will always have programs that are not paid attention to like the major market holders are, Think Windows vs Apple or Linux in terms of spyware...

That is the market. When one gets attacked, trust goes to another. Very normal, just look at the recent Windows rejections for Apple.

@old guy:
Of course v6 wasn't tested - Adobe is looking at what market share v6 still has - very little, not worth their time.

If you took the time to look at it, you trust the non-"open source" software in the exact same manner. But with Open Source you at least have the RIGHT to look at that code and decide for yourself.

@Mark W:
Do you not know of the 20+/- programs in Vista that run in the background for the sole reason of spying on Vista users? Or that with Vista you give not only Microsoft, but their 3rd-party vendors the right to look at, and delete ANY file on your computer? Read your EULA...

Posted by: Dan | February 12, 2008 12:17 PM | Report abuse

I used Windows add/remove to get rid of Adobe 7.9, after I installed Foxit reader. However, it left behind the ussual folders and files in programs under Adobe. I then tried to mannually delete those, but it won't let me, saying some are still in use. I went into IE7 and disabled ADOBE in the manage addons, since there is no way to delete addons that I know of. So even though I "removed" adobe reader 7.9, when I go to Secunia software inspector, it still says I have Adobe 7.9. It also curiously says that this version is up to date securitywise. I would think that I would have to have adobe 8.x for it to say that. Anyway, anyone know how to get rid of adobe completely? Also even though I got rid of all old flash versions, Secunia still says I have a few old versions. What's one to do with these leftbehind tidbits?

Posted by: M in CT | February 12, 2008 1:12 PM | Report abuse

@M in CT:
I honestly don't know, but v7.9 may be the patched version of the version 7 series.

Also, go here:

Download and run Hijackthis to remove BHOs that you don't want.

Posted by: Dan | February 12, 2008 4:42 PM | Report abuse

@Dan Thanks, I'll try Hijackthis. Also I found in another of Brians blogs "Massive Java Update Includes Security Fixes" on Jan 23rd, 2008 that the 7th comment by @A noted "Flash also has a habit of sticking around. Do a scan at Secunia (BK has linked to the site before) to see if you have old versions. Unfortunately you cannot use add/remove programs to get rid of old Flash versions. There's a specific removal tool available at" So I just went there and downloaded that and am going to try it too. Thanks all.

Posted by: M in CT | February 12, 2008 9:34 PM | Report abuse

@M in CT

A reboot is probably needed to finish the Adobe Reader removal. After uninstalling there should no longer be an Adobe ActiveX BHO (Browser Helper Object) in IE Manage Add-Ons. You should also be able to delete the directory C:\Program Files\Adobe.

Otherwise, you've stumbled upon a pain point with some software that fails to properly remove itself. Sometimes the only solution is to backup your data, wipe the system and install a clean version of the operating system and all software. This is something I do at least once a year anyway due to ongoing patching and various software upgrading. It keeps the system fresh and running lean and mean.

Posted by: TJ | February 12, 2008 10:25 PM | Report abuse

Hi everyone i m Saqib and want to tell you that khilafat will be soon established and be prepared for it

Posted by: Muhammad Saqib | February 13, 2008 2:01 PM | Report abuse

@Saqib: Oh goody! Another risen-from-the-ashes "Do it our way or go to hell!" group...

Face it Saqib - everybody on earth is going to hell because none of us believe in every religion, and almost every religion states that if you don't believe (in OUR god) that you will go to hell.

You're doomed, multiple times over.

Posted by: Dan | February 15, 2008 11:39 PM | Report abuse

I am unable to get Adobe 8.1.2 to load any files, is there any tech support from adobe available? A phone number?
If I try to reinstall the old version it automaticly update to the lastest version that I am unable to load. Help!

Posted by: fisheye | February 22, 2008 10:04 AM | Report abuse

Adobe updated their security advisory on Feb. 20:

"Acrobat 7 users and Adobe Reader 7 users who cannot update to version 8.1.2 can disable JavaScript to avoid these issues (with the exception of CVE-2007-5666) by following these steps:"

1. Launch Acrobat or Adobe Reader.
2. Select Edit>Preferences
3. Select the JavaScript Category
4. Uncheck the 'Enable Acrobat JavaScript' option
5. Click OK

Disabling Javascript will also disable certain advanced features in PDF documents, such as travel expense claim forms that pre-fill or calculate totals for you.

But this workaround blocks 5 of the 6 vulnerabilities. The sixth vulnerability involves a local user, instead of remote execution of code.

Even better, they finally announced that a patch for version 7 is planned to be rolled out by the end of May.

Posted by: Ken L | March 27, 2008 2:01 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company