Must Read: Sorry, but bringing back the Start menu won't help Windows 8

Topic: Enterprise Software

Adobe confirms PDF zero-day attacks. Disable JavaScript now

Summary: According to an advisory from Adobe, the critical vulnerability exists in Adobe Reader and Acrobat 9.2 and earlier versions. It is being exploited in the wild.

Ryan Naraine

By for Zero Day |

[UPDATE:  Adobe plans to patch this issue on January 12, 2010 ]

Malicious hackers are exploiting a zero-day (unpatched) vulnerability in Adobe's ever-present PDF Reader/Acrobat software to hijack data from compromised computers.

According to an advisory from Adobe, the critical vulnerability exists in Adobe Reader and Acrobat 9.2 and earlier versions.  It is being exploited in the wild.

[ SEE: How to mitigate Adobe PDF malware attacks ]

The company has activated its security response process but declined to offer any more details until an investigation is complete.

Unfortunately, the company did not provide any mitigation guidance for customers.

The folks at ShadowServer describe the situation as "very bad."

We did not discover this vulnerability but have received multiple reports of this issue and have examined multiple different copies of malicious PDFs that exploit this issue. This is legit and is very bad.

Here's what we know so far:

We can tell you that this exploit is in the wild and is actively being used by attackers and has been in the wild since at least December 11, 2009. However, the number of attacks are limited and most likely targeted in nature. Expect the exploit to become more wide spread in the next few weeks and unfortunately potentially become fully public within the same timeframe. We are fully aware of all the details related to the exploit but do not plan to publish them for a few reasons:

  1. There currently is no patch or update available that completely protects against this exploit.
  2. There is little to no detection of these malicious PDF files from most of the major Antivirus vendors.

With that said we can tell you that this vulnerability is actually in a JavaScript function within Adobe Acrobat [Reader] itself. Furthermore the vulnerable JavaScript is obfuscated inside a zlib stream making universal detection and intrusion detection signatures much more difficult.

In the interim, Adobe PDF Reader/Acrobat users are urged to immediately disable JavaScript:

Click: Edit -> Preferences -> JavaScript and uncheck Enable Acrobat JavaScript

Or, better yet, use an alternative PDF Reader software program.

[UPDATE:  Adobe plans to patch this issue on January 12, 2010 ]

Topics: Enterprise Software, Open Source, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

123 comments
Log in or register to join the discussion

  • Get to work to fix this.

    Is opening a PDF file that complex where after years of work they still haven't found all its security holes? I think instead of adding more "features" only 0.0002% of users will use, they need to look at their program top to bottom and plug the security holes.
    anogee
    Reply Vote

    • Do what I do.....

      And scrap Adobe on all my systems and install Foxit Reader. Installs in seconds and is lightweight and fast. Just check the install size compared to Adobe. Also haven't run into any compatibility problems that couldn't be fixed with a downloaded module from Foxit.
      OhTheHumanity
      Reply Vote

      • Agreed.

        Foxit is so much lighter/faster.


        Just keep in mind that it has had its fair share
        of vulnerabilities, too, though.. just not nearly
        as many as Adobe's crap.
        AzuMao
        Reply Vote

      • FOXIT reader

        I too installed foxit... FANTASTIC little product!!
        phamiltonsmith
        Reply Vote

        • Of course

          I love Foxit as well!
          It is the best there is.
          Ashtonian
          Reply Vote

      • Also...

        Vulnerability tracking is provided for Foxit by Secunia PSI, which is free too.

        I suppose the authors think they don't respect your privacy though, from comments on the link for a replacement.
        JCitizen
        Reply Vote

      • Using Foxit for a looong time...

        Adobe is bloatware (as are many others, e.g.: Nero). That's why i'm using Foxit for a while, can only recommend it. Does what it should.
        Zodarr
        Reply Vote

      • Can't argue with Foxit...it opens too fast

        Although there is an occasional exploit to Foxit, this a rare event and as a Foxit user, I agree that it is fast, nimble, and does just what it is designed for. On the user side, PDFs open almost instantly without a 10 second splash page.

        Adobe still needs to get their S^%t together and take their product security as seriously as they do BSA enforcement.
        eric.jernigan
        Reply Vote

    • Yes.

      Most programmers nowadays suck horribly. Even with
      all the super easy to use HLLs that do most of the
      work for them.
      AzuMao
      Reply Vote

    • And stop saying "zero day".

      ZDNet: Using made-up vocrapulary year after year.
      dgurney
      Reply Vote

      • Ya, ZDNet obviously made it up. And I've got 4 letters for you;

        <a href="http://en.wikipedia.org/wiki/Zero_day_attack">R</a>
        <a href="http://research.eeye.com/html/alerts/zeroday/index.html">O</a>
        <a href="http://zerodaythreat.com/">F</a>
        <a href="http://www.securityfocus.com/brief/984">L</a>
        <a href="http://www.watchguard.com/products/zeroday.asp">!</a>
        AzuMao
        Reply Vote

      • Made up? See link:

        http://tinyurl.com/npwzcj
        BaTz281
        Reply Vote

    • Adobe/Java script

      I've read your thread. I may have missed something so I do apologize if I have.
      It appears that you are talking about Adobe 9 and earlier. What if you have adobe 10?
      RoseeH
      Reply Vote

      • Hard luck!

        You've got even more bloatware. Uninstall Adobe Reader and install Foxit. You won't regret it. :-)
        GOTBO
        Reply Vote

  • RE: Adobe confirms PDF zero-day attacks. Disable JavaScript now

    Why does PDF need JavaScript and why do I have to disable it everytime I update Adobe Reader? Adobe should just remove the JavaScript functionality from PDF completely. It's un-secure, un-wanted and useless.
    edmanet@...
    Reply Vote

    • PDF doesn't need it per se...

      Some third party security protocols (read as username and password) use Javascript to authenticate you. Since they have to check your information against a server, they use Javascript to accomplish that.

      I'm sure there are better and easier methods of doing so, but for now, that's what is used. Which means that if you have "secure" pdf's you can't read them unless you reenable Javascript.

      Foxit uses Javascript as well, so I'd make sure it's not vulnerable before jumping on the "Use this" bandwagon.

      Have a great day:)
      Patrick.
      pdickey043@...
      Reply Vote

    • it's not useless

      it may be insecure, since everything always is.
      perhaps india ink on acid free paper can be said to be secure, if there is infinite labour and storage space.
      otherwise, even it becomes subject to bit rot and hijack.
      there is enormous pressure in the real world (the one where i/t professionals get paid to fix problems, not decide public and corporate policy) to develop portable interactivity--other than grand theft auto iv.
      adobe is pursuing an approach.
      does adobe often suck? yes. i used to own adobesux.com for that reason--back around premiere 2.0.
      but "vulnerability" problems don't persist becuase of i/t. they persist because public policy about i/t crime lags real world events by 20 years.
      gabriel bear
      Reply Vote

      • Defeatism like that is pointless.

        Just because nothing is perfect doesn't mean it's
        all as bad as Adobe's trash. The reason Adobe
        Reader is so insecure isn't because "everything
        always is", it's because Adobe fucking suck.
        AzuMao
        Reply Vote

  • RE: Adobe confirms PDF zero-day attacks. Disable JavaScript now

    Simple fix - get Sumatra free pdf reader
    info@...
    Reply Vote

  • RE: Adobe confirms PDF zero-day attacks. Disable JavaScript now

    I don't think it's that the security holes are just now uncovered, I think it's the sophistication of the hackers that keeps evolving.
    cscottenpointe
    Reply Vote
CNET Join | Log In | Privacy | Cookies Close