Network News

X My Profile
View More Activity

Attackers Exploiting Unpatched Flaw In Adobe Reader, Acrobat

Hackers are exploiting an unpatched security hole in current versions of Adobe Reader and Acrobat to install malicious software when users open a booby-trapped PDF file, security experts warn.

Adobe issued an advisory Thursday warning that its Reader and Acrobat software versions 9 and earlier contain a vulnerability that could allow attackers to take complete control over a system if the user were to open a poisoned PDF file. Adobe said it doesn't plan to issue an update to plug the security hole until March 11.

Meanwhile, the folks at Shadowserver.org, a volunteer-led security group, said it has seen indications that this vulnerability is being used in targeted attacks. Shadowserver warns that this exploit is likely to be bundled into attack kits that are sold to cyber crooks who specialize in seeding hacked and malicious Web sites with code that tries to install malware.

"These types of attacks are frequently the most damaging and it is only a matter of time before this exploit ends up in every exploit pack on the Internet," Shadowserver volunteer Steven Adair wrote on the group's blog.

Adobe's advisory lacks any advice users can follow to mitigate the threat from this flaw. But those at Shadowserver say Adobe Reader and Acrobat users can significantly reduce their exposure to such attacks by disabling Javascript within the application. To nix Javascript, select "Edit," "Preferences," "Javascript," and uncheck the box next to "Enable Acrobat Javascript."

In the past I have recommended the free version of Foxit Reader as a faster and more lightweight alternative for viewing PDF files. However, I have not yet been able to verify whether Foxit Reader may be similarly vulnerable. I will update this post if I receive an answer from Foxit.

Update, 10:34 a.m. ET: "Sherry" from Foxit wrote me back to say the company has no information to suggest Foxit is similarly vulnerable: "Currently Foxit Software have not suffered these problems. And we will pay attention to it in the future."

Also, Symantec has now posted its writeup on this flaw, saying it has received reports of targeted attacks against government, large enterprise and financial services organizations. "We have observed few exploits of this vulnerability in the U.S., China, Japan, Taiwan and the U.K. and continue to monitor for any signs of a widespread attack using this exploit."

By Brian Krebs  |  February 20, 2009; 6:55 AM ET
Categories:  Latest Warnings , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Travel-Booking Site for Federal Agencies Hacked
Next: The Tigger Trojan: Icky, Sticky Stuff

Comments

Scary stuff.

Does this only apply Windows machines or also to MAC Apples running OS X with Adobe reader? What about using the OS X Preview reader?

Posted by: OttawaForester | February 20, 2009 8:49 AM | Report abuse

I have tried Foxit Reader when Adobe Reader was exceedingly slow to boot up, and I had trouble printing or Saving As anything opened with Foxit Reader. I've gone back to Adobe Reader and it seems faster now. As always, Brian, thanks for watching over us. :-))

Posted by: peterpallesen | February 20, 2009 8:52 AM | Report abuse

Ladies & Gentlemen: Until the techs realize that any S/W & encryption is hackble, (references below) these problems will expand to point that we will have a real economic chaos with people rioting to get food.What is refreshing that this all it took place by one call to the WH and within 48 hours, our products are now being reviewed by very high level personnel. If we are good enough for the Canadian Govt Dept of Public Safety (DHS) why did Senator Lieberman's, (Chair, DHS Committee )Chief of Staff & Counsel tell us to cease and desist? The same with my own Senator Schumer (TSA Committee), and that list is very long..
Where is our Press who up to now only wants to report problems but never solutions? Mr Krebs, perhaps your readership should direct questions to you? That's why this David welcomes any direct inquiries to coninuump@gmail.com
Bob/CEO
References: Rodger Schell, PhD & former Dep. Dir. NSA:"no software capability can provide more overall security than the platform it is hosted on. Factually, you are transparent to all IT networks & software today." Today, to our knowledge, your platform is the "only commercial transparent appliance" that today can deal with standard & proprietary software. If you can get a major institution like XXXXXX to take the next step with their Executives (NOT IT Staff) folks at first, they might at least understand how they can benefit today. These "experts" are pushing encryption, totally ignoring that to the professional attacker, which they don't seem to recognize. This encryption would make little difference since they would steal the keys or decrypt the data to get a plain text copy. Crypto is indeed the "opiate of the naive". Remember all software is hackerble.Professor Caeilli:Encryption doesn’t solve the problem -- a fact that will continue to bedevil MLS efforts on any platform in the market today. Professor Bill Caelli has written:
"It is common ... for the banking and finance industry to explain their security parameters to customers in terms of 128 & 256-bit cipher, SSL implementation without any discussion at all of the system security at each end of the "line"..

Posted by: continuump | February 20, 2009 9:35 AM | Report abuse

Why does Reader even need Javascript?

Posted by: Hemisphire | February 20, 2009 9:40 AM | Report abuse

>>Why does Reader even need Javascript?

With Reader, you can sometimes fill out forms. Those forms might use JavaScript. For example, you might a form asking your height: You plug in 6'1".

Then the form will also calculate your height as 185 cm (centimeters) for those using metric.

A better example is an order form. You indicate which things you want to purchase, and the form automatically sums the total amount of the purchases.

Some forms are dynamic in the sense that they don't have a fixed length. If you add more items to purchase, add more beneficiaries to an insurance policy, or add more text to a survey, the form add another page. The page numbering might be driven by JavaScript.

Posted by: mountainhiker | February 20, 2009 10:01 AM | Report abuse

Since I use Mozilla Firefox for everything except business I do with DishNetwork and Directv, HughesNet and WildBlue, am I not fairly safe from this since I have the add-on NoScript. Anytime I open a page I haven't been to before, sometimes the only thing I see on that page is "You Must Enable Java to view this page". Isn't NoScript keeping me safe in these instances. DishNetwork and Directv only use IE since in their words "It's the safest browser to use". I'm not sure how their IT dept.'s have determined this but it certainly doesn't add up for me. Can someone tell me why they think it's the safest browser since it will open up any old page you want without so much as a "how you do". I can't help but feel opening up a blank page and letting me see all the java and other things ready to run in the background and giving me the chance to review what they are could not be safer. What am I missing?

Posted by: Eightsouthman | February 20, 2009 12:39 PM | Report abuse

Several years ago I removed Adobe Reader and use Foxit instead. It is fine for reading PDF files and their latest release claims to have fixed a printing problem. I can't see how to disable JS in Foxit, however.

Posted by: Bartolo1 | February 20, 2009 1:17 PM | Report abuse

We have a managed service solution that keeps applications up-to-date. But the dilemma is that NetworkCare does not upgrade applications. So, we are looking for a way to "push" out an Acrobat upgrade. I think it is possible. It is a never-ending war!

Stu
http://www.progressiveoffice.com

Posted by: stukushner | February 20, 2009 2:48 PM | Report abuse

Is this just one more instance of the decades-old advice to not open e-mail attachments or Web downloads if you don't know who they are from or what they are for?

Posted by: 54Stratocaster | February 20, 2009 10:01 PM | Report abuse

"Since I use Mozilla Firefox for everything except business I do with DishNetwork and Directv, HughesNet and WildBlue, am I not fairly safe from this since I have the add-on NoScript."

----------------------

Noscript disables your BROWSER from running javascript, it seems unlikely that it would also disable adobereader from running it's own javascript (maybe someone with more motivation could test this?)

A good add on to have is pdf download (https://addons.mozilla.org/en-US/firefox/addon/636), which asks you what you want to do with the pdf instead of your browser automatically opening it.

And opening adobe reader now and clicking "Edit," "Preferences," "Javascript," and unchecking the box next to "Enable Acrobat Javascript" is a very good idea.

Posted by: buckdharma | February 21, 2009 12:56 AM | Report abuse

Discovered: February 12, 2009
Updated: February 12, 2009 5:18:24 PM
Type: Trojan
Infection Length: 827,308 bytes
Systems Affected: Windows 2000, Windows Vista, Windows XP

The Trojan may arrive on the compromised computer as a spammed email attachment, through a malicious link, or through Web browser redirects.

When the Trojan executes, it attempts to exploit the Adobe Reader PDF File Handling Remote Code Execution Vulnerability (BID 33751) in Adobe Acrobat Reader 8 and 9.

Next, the Trojan attempts to drop and execute the following files on the compromised computer:

* %Temp%\SVCHOST.EXE (Backdoor.Trojan)
* %Temp%\TEMP.EXE (Backdoor.Trojan)
* %System%\[EIGHT RANDOM CHARACTERS].DLL (Backdoor.Trojan)

The Trojan opens a back door on the compromised computer.

It then contacts the following remote host in order to steal information from the compromised computer:
js001.3322.org

Posted by: munkle | February 21, 2009 6:56 AM | Report abuse

The article should make it clear that it's WINDOWS machines that are at risk, not Macs or Linux. Another good reason to abandon Microsoft. They're more concerned about stockholders than customers, way more.

Posted by: hairguy01 | February 21, 2009 8:26 AM | Report abuse

So that's what my friend has had on her computer since the first week in February. A check of her browser history showed that she had visited several online help files for photo editing and the processes mentioned above were evident in task manager. But figuring out which svchost.exe was not legitimate was a guessing game and stopping those processes and removing things from the start-up menu that did not belong did not keep the bug from regenerating.
Here are some of the defensive mechanisms built into the package on her machine. It has a hijacker built in to keep you from updating or downloading any anti-malware software. It won't let you do a malwarebytes installation to the c drive (I even tried using another administrative profile to do the installation although using that other account and starting in safe mode allowed me to do a scan). It drops an htm virus into all the htm and html files it can find so that a virus scan takes forever and will eventually overload the scan engine (you'd be amazed at how many html files programs like photoshop and tax-cut have). It disables the autoprotect and autofix features in McAfee so that a scan doesn't remove the beast.
Right now her hard drives are over at another friends house. He's going to scan them as secondary drives using his Kasperski.
This is a nasty bug, she works for DoD and I'm sure it was trying to gain remote access because it kept asking for her sign in.

Posted by: frodo2you | February 21, 2009 10:02 AM | Report abuse

@hairguy: if you read Adobe's advisory, it clearly states this affects ALL PLATFORMS. So, Mac and Linux versions are, according to Adobe, vulnerable.

Read the advisory linked to at the beginning of this blog post.

Release date: February 19, 2009

Vulnerability identifier: APSA09-01

CVE number: CVE-2009-0658

Platform: All platforms

A critical vulnerability has been identified in Adobe Reader 9 and Acrobat 9 and earlier versions.

Posted by: BTKrebs | February 21, 2009 10:18 AM | Report abuse

@hairguy and others who think this is a Windows-only threat:

You may want to take a look at a (somewhat technical) writeup from researchers at Snort, which explain in detail why this vulnerability has the strong potential to be a cross-platform threat.

http://vrt-sourcefire.blogspot.com/2009/02/have-nice-weekend-pdf-love.html

Posted by: BTKrebs | February 21, 2009 10:39 AM | Report abuse

Aha! Even more light on the subject! One of the online help files my friend was looking at just prior to the infection was a 'how to' that likely would have included an image stream.

Posted by: frodo2you | February 21, 2009 11:22 AM | Report abuse

Bartolo1, you can disable Javascript in Foxit Reader by following the same directions that gave for Acrobat:

[opening adobe reader now and clicking "Edit," "Preferences," "Javascript," and unchecking the box next to "Enable Acrobat Javascript"]

Just open Foxit - Edit -Preferences - Javascript - uncheck Enable Javascript Actions. Very easy to do.

Posted by: elyrest | February 21, 2009 11:40 AM | Report abuse

Since even after multiple attempts I was unable to install Adobe Reader 9, I suppose I'm immune to this latest threat. Ironic! And p.s.: Adobe's instructions for how to cope with the installation problems do not inspire confidence for their ability to deliver a simple, secure fix for this latest issue.

Posted by: GardnerCampbell | February 21, 2009 12:08 PM | Report abuse

GardnerCampbell
My friend's computer was running older versions of both Adobe Reader and Java and the Snort reference indicates that the same exploit could probably be used on multiple versions of Adobe. Look in add/remove programs, you probably still have several older versions of reader and java still listed. Remove them all and start fresh with the newest versions but you will still have to follow the instructions above to be protected.

Posted by: frodo2you | February 21, 2009 12:41 PM | Report abuse

The problem is this ridiculous trend to embed javascript into everything. It is difficult to believe that Adobe didn't recognize that such a decision could lead to such a vulnerability in their reader. Until firms like Microsoft, Adobe, etc. put SECURITY over minor functionality and "eye candy" gains, we will all remain vulnerable to crooks half-way around the globe. This attitude has got to change!

Posted by: mb56 | February 21, 2009 1:21 PM | Report abuse

@eightsouthman, what you are missing is that this is not a browser vulnerability, but an Adobe Reader vulnerability.

NoScript only covers your browser, and, even then, if you click to run Javascript when prompted in order to view something, you aren't any safer than if NoScript hadn't been running at all. But, as I said, in this case, the problem does not appear to be so much with malicious content on web pages, but is a hole in Adobe Reader.

Posted by: blert | February 21, 2009 4:31 PM | Report abuse

Thanks, elyrest!

Posted by: Bartolo1 | February 21, 2009 4:58 PM | Report abuse

Ars Technica has a fix for OS/X users:

http://arstechnica.com/security/news/2009/02/adobe-issues-critical-security-alert-for-acrobat-and-reader.ars

xpdf is available for all *NIX systems and faster enough that it's usually the default.

Posted by: lembark | February 22, 2009 3:24 PM | Report abuse

@BTKrebs, I stand corrected, sorry for the error. I'll make sure I don't upgrade my Adobe reader.

Posted by: hairguy01 | February 22, 2009 3:34 PM | Report abuse

Adobe Reader under Mac - Vulnerable. Go to MacWorld to see details.

Preview - Not vulnerable. But forget about filling out forms.

BB

Posted by: FairlingtonBlade | February 22, 2009 5:02 PM | Report abuse

because the locations and files:

* %Temp%\SVCHOST.EXE
* %Temp%\TEMP.EXE
* %System%\[EIGHT RANDOM CHARACTERS].DLL

do not exist on Mac and Linux systems. this specific exploit cannot infect these OSes.

it is possible that other exploits might, but this one cannot....

Posted by: vaporland | February 22, 2009 8:45 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company