Network News

X My Profile
View More Activity

Adobe Urges Stopgap Changes To Blunt Cyber Threat

Adobe Systems Inc. has found itself in the midst of a public relations maelstrom of the sort once reserved only for Microsoft Corp., as security experts chastise the company for not moving fast enough to address a critical security hole in its products even as third-party software makers offer makeshift fixes for the flaw.

On Feb. 19, experts at Shadowserver.org, a volunteer-led security group, let the world know that bad guys were attacking an unpatched security flaw in Adobe Acrobat and Reader to break into systems when users opened booby-trapped .PDF files. The Shadowserver guys said one way to mitigate this threat was to disable the rendering of Javascript within these programs.

Later that day, Adobe released its own advisory, which acknowledged that the flaw existed in all supported versions of its products, and on all operating systems. The company said it planned to ship an update to fix the flaw on March 11, and that it expects to make updates available for Adobe Reader 7 and 8, and Acrobat 7 and 8, by March 18th.

The following day, security vendor SourceFire blogged about the threat in a description that security experts said more or less painted a blueprint that hackers could use to exploit the flaw.

Two days later, milw0rm.com, a Web site dedicated to propagating instructions for exploiting software flaws, published two different blueprints for attacking the Adobe vulnerability, each of which credited the SourceFire advisory for their inspiration.

Meanwhile, a number of third-party software vendors began offering their own fixes to plug the flaw in Adobe's software.

Under fire from many in the security community who charged that Sourcefire's publishing this information amounted to a how-to plan for those seeking to exploit the Adobe flaw for criminal gain, SourceFire said it opted to publicize its findings after determining that hackers had been exploiting the flaw since Jan. 9.

"Instead of letting the world get owned, we thought it better to provide protection for people than to continue to allow people to get hacked completely," said Martin Roesch, co-founder and chief technology officer for Sourcefire.

Brad Arkin, Adobe's director for product security and privacy, said the company was alerted on Jan. 16 about the presence of malware exploiting the flaw, though he declined to say which organization alerted them to that fact.

When asked why the company had not offered instructions on how to mitigate the threat by disabling Javascript in its products, Arkin said Adobe wanted to make sure the fix they presented was complete.

"Disabling Javascript is one way to prevent a particular class of attacks [from this flaw], but it doesn't address the root vulnerability itself," Arkin said. "Our focus when we were first informed about this was to try to focus our efforts to get a patch out to all users."

In the hours since that interview with Security Fix, Adobe updated its advisory to recommend that users disable Javascript support until the company releases a patch to fix the flaw.

Adobe's adoption rate among Microsoft Windows users and fans of other operating systems makes it one of the most pervasive software makers on the planet, and also one of the most-targeted. It would be helpful if the next time time such a serious hole arises in Adobe's products that the company takes a page from Microsoft's playbook, by offering users upfront advice on how to mitigate the threat until an official patch is released.

By Brian Krebs  |  February 25, 2009; 7:20 AM ET
Categories:  From the Bunker , Latest Warnings , Safety Tips  | Tags: adobe, javascript, shadowserver, sourcefire  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Just Say "No" To Gmail "ViddyHo" Chats
Next: Adobe Issues Security Update for Flash Player

Comments

This morning SANS is saying JS is NOT necessary for the Adobe exploit.

This morning Microsoft is telling me that KB967715 is ready to download. Something about Autorun. What gives?

Also, is there a new Flash update?

Thanks,
Bartolo

Posted by: Bartolo1 | February 25, 2009 8:05 AM | Report abuse

Arkin said. "Our focus when we were first informed about this was to try to focus our efforts to get a patch out to all users."

FAIL.

Posted by: lostinthemiddle | February 25, 2009 10:37 AM | Report abuse

Probably the reason Adobe Systems doesn't share Microsoft's level of skill in mitigating software flaws is because Adobe products have so few of them.

Posted by: robertdsands | February 25, 2009 10:47 AM | Report abuse

Great article ~

I think the only way to really mitigate this kind of thing is to prevent it from happening in the future as much as possible. Basicially, always working continually on the solution before it happens.

When I have a digital security problem I often consult http://www.justaskgemalto.com. I would be interested myself to know where most other people go. Would you mind touching on that in an article?

Posted by: ThomasWhitney | February 25, 2009 11:25 AM | Report abuse

The Adobe Product Security Incident Response Team has a blog post that lists antivirus and security vendors that detect this vulnerability.

http://blogs.adobe.com/psirt/2009/02/adobe_reader_and_acrobat_issue_1.html

Posted by: R__J | February 25, 2009 12:27 PM | Report abuse

Robertdsands
so few skills?? or
so few flaws??

Posted by: peppermintpatti1 | February 25, 2009 12:50 PM | Report abuse

robertdsands
I just disabled Javascript on my Mac . . . 'til further notice. Sensible??

Posted by: peppermintpatti1 | February 25, 2009 12:52 PM | Report abuse

New version of Adobe Flash Player - 10.0.22.87 - now available at the Adobe web site. Does not address the Adobe Reader flaw described above, but still worth noting.

Posted by: SSMD1 | February 25, 2009 1:14 PM | Report abuse

For Firefox users, here's a link to a page that gives info on various ways to enable/disable Adobe plug-ins, including a link to alternative PDF-reader applications.

http://kb.mozillazine.org/Adobe_Reader

I switched to Foxit Reader months ago because I have better things to do than wait for Adobe programs to load into memory, and it's worked just fine for me. Someone mentioned a printing problem with it in a previous Security Fix installment, but I haven't encountered it.

Posted by: mark51 | February 25, 2009 4:42 PM | Report abuse

Nice job highlighting how Sourcefire released a home-brew patch two days after releasing details on the vunerability: http://vrt-sourcefire.blogspot.com/2009/02/homebrew-patch-for-adobe-acroreader-9.html

Should have been pretty easy to find, given that it was all of two posts up on the blog where the vulnerability details were given.

Posted by: schnarff | February 25, 2009 4:46 PM | Report abuse

@schnarff -- Did you miss this paragraph?

"Meanwhile, a number of third-party software vendors began offering their own fixes to plug the flaw in Adobe's software."

Yes, Sourcefire released a homebrewed patch. As did iDefense and a number of other vendors.

Posted by: BTKrebs | February 25, 2009 4:50 PM | Report abuse

@BTKrebs - got links to those patches? Somehow I doubt it; they may have referenced the Sourcefire patch, but they didn't release patches of their own. Perhaps you're referring to notes encouraging users to turn off JavaScript in PDFs?

My complaint is primarily with the way things were worded here, BTW. After noting that Sourcefire put out details of the vulnerability, and then highlighting the fact that Milw0rm referenced the Sourcefire note, the failure to specifically mention Sourcefire's patch unnecessarily paints the company in a negative light, as the casual reader would have no idea that Sourcefire was among those who released fixes. Given that Sourcefire's patched binary was particularly newsworthy - as homebrew patches of that sort are exceedingly rare in the industry - the failure to mention it specifically seems especially odd.

Posted by: schnarff | February 25, 2009 5:16 PM | Report abuse

Since this exploit evidently affects Mac users, should not they just use Preview?

Posted by: Garak | February 25, 2009 6:09 PM | Report abuse

@Garak: Preview is exactly what I've always used on my Mac anyway. In fact, I didn't realize I had Adobe Reader on my work-issued Macbook until I went to write this blog post.

Posted by: BTKrebs | February 25, 2009 7:40 PM | Report abuse

Amazing that when Sun first introduce Java as the "Perfect Operating System", they bragged how Java would end the rein of MicroSoft. It was because Java was so SAFE.

Posted by: calmaise | February 25, 2009 8:01 PM | Report abuse

Like cars and cat food software needs to be regulated so that the companies are held liable for defective or damaging products, companies should have x hours to fix a hole or receive a fine. To put off fixing a security hole for 60 days should be criminal.

Posted by: kkrimmer | February 25, 2009 8:24 PM | Report abuse

@calmaise:

You seem to be confusing Java with Javascript. Although they have certain similarities in syntax, they're really two entirely different technologies.

Java is not an operating system, and it's certainly not perfect; but any vulnerabilities in Javascript have no bearing on the safety of Java technology.

More to the point, the present vulnerability is not caused by a problem with Javascript. It just happens that disabling Javascript will disrupt the currently known exploits. Note the following from the Adobe advisory that Brian linked to in his article:

"Disabling JavaScript provides protection against currently known attacks. However, the vulnerability is not in the scripting engine and, therefore, disabling JavaScript does not eliminate all risk."

You can also protect against this vulnerability by disconnecting your Internet connection; but that doesn't mean that network protocols or your ISP are at fault.

Posted by: mark51 | February 26, 2009 12:17 AM | Report abuse

I guess I should acknowledge for the sake of clarity that Java was originally conceived as an embedded operating system for household devices; but that's not the path it actually followed.

Posted by: mark51 | February 26, 2009 12:21 AM | Report abuse

Will Adobe offer a patch for Acrobat 6? The article mentions only Acrobat 7 and later. A lot of people who bought Creative Suite 1 with Acrobat 6 still use it.

Posted by: Garak | February 26, 2009 7:35 AM | Report abuse

I've added the Adobe Reader patches - everything seems to work OK.

I also tried FoxIt but got rid of it after finding out that it refuses to open URLs in either my own PDF documents or in Firefox. It was also a pain in the kiester to get off my PC (XP, SP3).

Back to Adobe as the default PDF reader.

Posted by: SC54HI | February 26, 2009 7:48 PM | Report abuse

Adobe announced publically that they have a vulnerability on Feb 19th 2009. (CVE-2009-0658)

Its known throughout the world and published by Adobe publically, as well as via NIST in the National Vulnerability Database and via US CERT at the US Department of Homeland Security.

It affects Adobe Reader 9 and Acrobat 9 - and Adobe has plans for a software patch to be available by March 11th, 2009.

It also affect Adobe Reader 7 and 8, and Acrobat 7 and 8 - and Adobe has plans for a software patch to be available by March 18th.

Since there is a known vulnerability without the availability of a software patch, and it's a critical vulnerabilitiy Adobe reccommends " that users update their virus definitions and exercise caution when opening files from untrusted sources."

And then this morning the US Government asked for volunteers to author an OVAL (Open Vulnerability Assessment Language) check for this vulnerability since their understanding is that there are ACTIVE EXPLOITS, which is true. Our Security Research Team has volunteered to author this check and provide it to the government and broader information security community.

In addition, we strongly suggest a focused action plan at this juncture:
1. Notify end users of the potential for exploits, and to not open untrusted PDF documents
2. Perform a immediate discovery scan to refresh the inventory of systems that will need to be scanned for this vulnerability, and to ensure desktop anti-virus products are installed and up-to-date.
3. Plan for a multi-step mitigation plan
- in order to minimize the vulnerability window, upgrade Adobe Reader versions 7 and 8, and Adobe Acrobat 7 and 8 as soon as possible.
- plan for the pending Adobe 9 patch testing and upgrade
- plan for potential incident responses required if an exploit is detected before the planned upgrades are completed.

"User notification and education is key, along with incident response planning in case of active exploit detection," said Ken Halley, CISSP and chief executive officer of Gideon Technologies. "Advance planning, and vigilance in monitoring your nextwork, is required. Know you assets - Minimize the vulnerability window - Know your risk. If you wait until you detect an exploit on your network, then its too late."
www.gideontechnologies.com

Posted by: BBPalSparky | February 27, 2009 4:35 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company