Network News

X My Profile
View More Activity

Adobe Warns of Critical Threat to Reader, Acrobat Users

Adobe Systems Inc. late Thursday issued an alert saying that hackers are exploiting a newly-discovered vulnerability in its free PDF Reader and Acrobat products to break into Microsoft Windows systems.

Adobe said it plans to release a patch to fix this vulnerability next Tuesday, in keeping with its recent shift to push out security updates in tandem with Microsoft's regular monthly patch cycle, which occurs on the second Tuesday of each month (a.k.a. "Patch Tuesday").

According to the Adobe advisory, the company is planning to release an update for Adobe Reader 9.1.3 and Acrobat 9.1.3, Adobe Reader 8.1.6 and Acrobat 8.1.6 for Windows, Macintosh and UNIX, and Adobe Reader 7.1.3 and Acrobat 7.1.3 for Windows and Macintosh to resolve critical security issues.

"Among other issues, this update will resolve a critical vulnerability in Adobe Reader and Acrobat 9.1.3 and earlier (CVE-2009-3459) on Windows, Macintosh and UNIX," Adobe said in its advisory. "There are reports that this issue is being exploited in the wild in limited targeted attacks; the exploit targets Adobe Reader and Acrobat 9.1.3 on Windows. Adobe Reader and Acrobat 9.1.3 customers with DEP [Data Execution Prevention] enabled on Windows Vista are protected from this exploit."

Adobe says disabling Javascript in Reader and/or Acrobat can help mitigate the threat from the specific exploit that is circulating at the moment, but that it will not protect against all attacks taking advantage of the underlying vulnerability. The full advisory is here. An older advisory from US-CERT includes the relevant instructions on how to disable Javascript in Reader, as well as how to prevent the browser from automatically displaying PDF files (if you choose this option, you can still view PDFs in Reader by downloading the file and opening it separately).

News like this is often jarring and scary, but in all likelihood the attacks that Adobe is referencing are targeted at a specific group of organizations or governments. Alex Lanstein, a senior security researcher at Milpitas, Calif.-based security firm FireEye, notes that what's unusual about this vulnerability is that while Adobe is referencing reports of the vulnerability being exploited in the wild, there don't appear to be instructions or exploit code for this flaw publicly available at the moment.

Barring any notable developments in the meantime, I'll have more information about this next Tuesday, when Microsoft issues what promises to be a record-breaking number of security updates. According to a heads-up on its Security Response Center blog, Microsoft plans to release 13 patch bundles (eight critical and five important) that address at least 34 vulnerabilities, affecting Windows, Internet Explorer, Office, Silverlight, Forefront, Developer Tools, and SQL Server.

By Brian Krebs  |  October 9, 2009; 1:00 PM ET
Categories:  Latest Warnings , Safety Tips  | Tags: acrobat, adobe 0day, reader  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Phishing Scam Spooked FBI Director Off E-Banking
Next: Comcast Trials Browser Alerts for Bot-Infected Customer PCs

No comments have been posted to this entry.

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company