ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Adobe confirms PDF zero-day attacks. Disable JavaScript now

By | December 15, 2009, 9:08am PST

Summary: According to an advisory from Adobe, the critical vulnerability exists in Adobe Reader and Acrobat 9.2 and earlier versions. It is being exploited in the wild.

[UPDATE:  Adobe plans to patch this issue on January 12, 2010 ]

Malicious hackers are exploiting a zero-day (unpatched) vulnerability in Adobe’s ever-present PDF Reader/Acrobat software to hijack data from compromised computers.

According to an advisory from Adobe, the critical vulnerability exists in Adobe Reader and Acrobat 9.2 and earlier versions.  It is being exploited in the wild.

[ SEE: How to mitigate Adobe PDF malware attacks ]

The company has activated its security response process but declined to offer any more details until an investigation is complete.

Unfortunately, the company did not provide any mitigation guidance for customers.

The folks at ShadowServer describe the situation as “very bad.”

We did not discover this vulnerability but have received multiple reports of this issue and have examined multiple different copies of malicious PDFs that exploit this issue. This is legit and is very bad.

Here’s what we know so far:

We can tell you that this exploit is in the wild and is actively being used by attackers and has been in the wild since at least December 11, 2009. However, the number of attacks are limited and most likely targeted in nature. Expect the exploit to become more wide spread in the next few weeks and unfortunately potentially become fully public within the same timeframe. We are fully aware of all the details related to the exploit but do not plan to publish them for a few reasons:

  1. There currently is no patch or update available that completely protects against this exploit.
  2. There is little to no detection of these malicious PDF files from most of the major Antivirus vendors.

With that said we can tell you that this vulnerability is actually in a JavaScript function within Adobe Acrobat [Reader] itself. Furthermore the vulnerable JavaScript is obfuscated inside a zlib stream making universal detection and intrusion detection signatures much more difficult.

In the interim, Adobe PDF Reader/Acrobat users are urged to immediately disable JavaScript:

Click: Edit -> Preferences -> JavaScript and uncheck Enable Acrobat JavaScript

Or, better yet, use an alternative PDF Reader software program.

[UPDATE:  Adobe plans to patch this issue on January 12, 2010 ]

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Adobe Systems Inc., Adobe PDF, JavaScript, Exploit, Zero-day Bug, Security, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
123
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Adobe confirms PDF zero-day attacks. Disable JavaScript now
efsane Updated - 8th Apr 2011
Well done! Thank you very much for professional templates and community edition
sesli sohbet sesli chat
View in thread
0 Votes
+ -
Get to work to fix this.
anogee 15th Dec 2009
Is opening a PDF file that complex where after years of work they still haven't found all its security holes? I think instead of adding more "features" only 0.0002% of users will use, they need to look at their program top to bottom and plug the security holes.
0 Votes
+ -
Do what I do.....
OhTheHumanity Updated - 15th Dec 2009
And scrap Adobe on all my systems and install Foxit Reader. Installs in seconds and is lightweight and fast. Just check the install size compared to Adobe. Also haven't run into any compatibility problems that couldn't be fixed with a downloaded module from Foxit.
0 Votes
+ -
Agreed.
AzuMao Updated - 15th Dec 2009
Foxit is so much lighter/faster.


Just keep in mind that it has had its fair share
of vulnerabilities, too, though.. just not nearly
as many as Adobe's crap.
0 Votes
+ -
FOXIT reader
phamiltonsmith 15th Dec 2009
I too installed foxit... FANTASTIC little product!!
0 Votes
+ -
Of course
Ashtonian 16th Dec 2009
I love Foxit as well!
It is the best there is.
0 Votes
+ -
Also...
JCitizen 15th Dec 2009
Vulnerability tracking is provided for Foxit by Secunia PSI, which is free too.

I suppose the authors think they don't respect your privacy though, from comments on the link for a replacement.
0 Votes
+ -
Using Foxit for a looong time...
Zodarr 16th Dec 2009
Adobe is bloatware (as are many others, e.g.: Nero). That's why i'm using Foxit for a while, can only recommend it. Does what it should.
0 Votes
+ -
Can't argue with Foxit...it opens too fast
eric.jernigan 16th Dec 2009
Although there is an occasional exploit to Foxit, this a rare event and as a Foxit user, I agree that it is fast, nimble, and does just what it is designed for. On the user side, PDFs open almost instantly without a 10 second splash page.

Adobe still needs to get their S^%t together and take their product security as seriously as they do BSA enforcement.
0 Votes
+ -
Yes.
AzuMao 15th Dec 2009
Most programmers nowadays suck horribly. Even with
all the super easy to use HLLs that do most of the
work for them.
0 Votes
+ -
And stop saying "zero day".
dgurney 15th Dec 2009
ZDNet: Using made-up vocrapulary year after year.
0 Votes
+ -
Ya, ZDNet obviously made it up. And I've got 4 letters for you;
AzuMao 15th Dec 2009
R
O
F
L
!
0 Votes
+ -
Made up? See link:
BaTz281 16th Dec 2009
http://tinyurl.com/npwzcj
0 Votes
+ -
Adobe/Java script
RoseeH 16th Dec 2009
I've read your thread. I may have missed something so I do apologize if I have.
It appears that you are talking about Adobe 9 and earlier. What if you have adobe 10?
0 Votes
+ -
Hard luck!
GOTBO 16th Dec 2009
You've got even more bloatware. Uninstall Adobe Reader and install Foxit. You won't regret it. happy
0 Votes
+ -
RE: Adobe confirms PDF zero-day attacks. Disable JavaScript now
edmanet@... 15th Dec 2009
Why does PDF need JavaScript and why do I have to disable it everytime I update Adobe Reader? Adobe should just remove the JavaScript functionality from PDF completely. It's un-secure, un-wanted and useless.
0 Votes
+ -
PDF doesn't need it per se...
pdickey043@... 16th Dec 2009
Some third party security protocols (read as username and password) use Javascript to authenticate you. Since they have to check your information against a server, they use Javascript to accomplish that.

I'm sure there are better and easier methods of doing so, but for now, that's what is used. Which means that if you have "secure" pdf's you can't read them unless you reenable Javascript.

Foxit uses Javascript as well, so I'd make sure it's not vulnerable before jumping on the "Use this" bandwagon.

Have a great day:)
Patrick.
0 Votes
+ -
it's not useless
gabriel bear 13th Jan 2010
it may be insecure, since everything always is.
perhaps india ink on acid free paper can be said to be secure, if there is infinite labour and storage space.
otherwise, even it becomes subject to bit rot and hijack.
there is enormous pressure in the real world (the one where i/t professionals get paid to fix problems, not decide public and corporate policy) to develop portable interactivity--other than grand theft auto iv.
adobe is pursuing an approach.
does adobe often suck? yes. i used to own adobesux.com for that reason--back around premiere 2.0.
but "vulnerability" problems don't persist becuase of i/t. they persist because public policy about i/t crime lags real world events by 20 years.
0 Votes
+ -
Defeatism like that is pointless.
AzuMao 14th Jan 2010
Just because nothing is perfect doesn't mean it's
all as bad as Adobe's trash. The reason Adobe
Reader is so insecure isn't because "everything
always is", it's because Adobe ******* suck.
0 Votes
+ -
RE: Adobe confirms PDF zero-day attacks. Disable JavaScript now
info@... 15th Dec 2009
Simple fix - get Sumatra free pdf reader
0 Votes
+ -
RE: Adobe confirms PDF zero-day attacks. Disable JavaScript now
cscottenpointe 15th Dec 2009
I don't think it's that the security holes are just now uncovered, I think it's the sophistication of the hackers that keeps evolving.
0 Votes
+ -
Are Macs equally at risk as Windows machines?
mpjazzthang@... 15th Dec 2009
I guess the OS wouldn't matter if it's in the .pdf file. And what kind of data mining does a java script collect? Passwords? SS#s? maybe bank account info?
0 Votes
+ -
A java script collects your SSN and genealogy!
AzuMao 15th Dec 2009
0 Votes
+ -
JS Also rapes your mom kills your dad
Slunk 15th Dec 2009
Run for the hills. Seriously. PDF's have been secure for years. What is next? Gif's? No wait that has bee done. Nothing is secure except an unplugged alarm clock.
0 Votes
+ -
That unplugged alarm clock can x-ray you and spam your socks.
AzuMao 15th Dec 2009
Because of the evil batteries in it and antenna!
0 Votes
+ -
That doesn't make it right
eric.jernigan 16th Dec 2009
PDFs aren't the issue so much as the reader. Added complexity detracts from security and creates openings (vulnerabilities) into the application.

We shouldn't take crappy security for granted, we need to demand it, just like privacy. Just because businesses and govt. suck at it doesn't make it OK.
0 Votes
+ -
Exactly.
AzuMao 16th Dec 2009
The problem is whatever is implementing the
format, not the format itself.

This is analogous to EXEs in Windows; they aren't
the issue, Windows is.
0 Votes
+ -
I just got my 3 wolves, one moon shirt...
jwalsh@... 15th Dec 2009
...oops, sorry, wrong website.
0 Votes
+ -
I would imagine so......
OhTheHumanity 15th Dec 2009
And this is why I recommend that Mac users install security software on their platform as well. Third party software is becoming more and more the attack vector so just keep that in mind.
0 Votes
+ -
Except that third-party security software
frgough 15th Dec 2009
is useless in this case according to the article.
0 Votes
+ -
Not quite
honeymonster 15th Dec 2009
The article says that there is no third-party
security software with effective patterns,
yet, and that developing effective
patterns are being complicated by the fact that
the code is obfuscated. Not impossible, though.

Even though anti-malware/anti-virus can not
block the infection vector, it may still be
effective against the malicious payload.
Malware authors tend to drop the same things
over and over - sometimes with smaller
variations.
0 Votes
+ -
So in other-words..
AzuMao 16th Dec 2009
..it all comes down to wishful thinking. "I
hope the AV gets an update before I'm
hacked", "Maybe they won't make new viruses
with this", "It would be nice if the
payloads used to attack this were already
blocked", etc.
0 Votes
+ -
Well...
jeremychappell 15th Dec 2009
If the advice is "use a different PDF renderer" then I seems really unlikely
that Macs will (by default) have a problem. Mac OS X uses PDF as a native
technology (it's used in the Window Manager) but it's written by Apple,
not Adobe (for history buffs Mac OS X Server 1.0 used Adobe's
DisplayPostscript, Apple replaced this with Quartz - a kind of "display
PDF" - for Mac OS X 10.0). Mac OS X uses "preview.app" to display PDFs.
You can install Adobe's PDF reader - but that's not what's used by
default.
0 Votes
+ -
Macs probably aren't as vulnerable...
galley 15th Dec 2009
...because recent versions of Safari, by default, read and display PDF files without using Adobe Reader or Acrobat. And OS X's Preview app is the default viewer for PDF files on the hard disk.

If a Mac user has explicitly chosen Adobe Reader or Acrobat to handle PDFs, then he/she might be vulnerable, depending upon how the exploit is written.
0 Votes
+ -
Stop using Adobe Reader software, use alternatives
gmeader 15th Dec 2009
Adobe Reader is bloatware. Uninstall it now.
If all you want to do is quickly view PDFs, go get Foxit Reader.
Free fast and lightweight.
0 Votes
+ -
Amen
IslandBoy_77 15th Dec 2009
100% agree. Been using it myself for almost a year now, and have been installing it on all client's PCs where possible. A shame that Foxit is a bit clumsy to update - most people don't know they need the JPEG, JavaScriptSupport and GDI+ Module add-ons to get proper PDF compatibility (not to mention the Firefox addon if they, like me, use FF). Still, all in all, Foxit is fantastic - quick, secure, free: what's not to like? happy
0 Votes
+ -
Use Secunia PSI...
JCitizen Updated - 15th Dec 2009
to install the updates; it is way simpler. I just click the fixit button, to download the proper files.

I've never had functional troubles with Foxit, doing it this way.

Secunia PSI is free for home users.
0 Votes
+ -
Re: Use Secunia............
Disgruntled M$ User 16th Dec 2009
Has Secunia updated their software for this threat??? I just ran a scan and it says "0 insecure/ all patched." This includes all Adobe products including Reader! Is Secunia checking for this problem?? Inquiring minds wish to know!!
0 Votes
+ -
They may be late to the table..
JCitizen Updated - 17th Dec 2009
But if you use 64bit java for instance, they may be cross checking to see if you're actually vulnerable.Since java is involved, who knows?

Also there is a new FF version out today, the article mentions nothing of this, and surely they would have known that a newer version was out. But maybe they don't see the need to publish the numbers, but I do! The new one could be just as vulnerable - I haven't read the fix sheet on it yet.

(edited)- the new version has some java improvements but no secure enhancements to the PDF add-on/plug-in.

I would still think Foxit has a safer plugin, but the authors list link may be better.

0 Votes
+ -
My favorite PDF reader
Narg 15th Dec 2009
I prefer PDF-Xchange

http://www.docu-track.com/downloads/users/

Much faster than Foxit, and in 64-bit version too. Works better in some web sites too.
0 Votes
+ -
RE: Adobe confirms PDF zero-day attacks. Disable JavaScript now
mel@... 15th Dec 2009
Ryan,

How about changing your headline to read "Disable *Adobe*
JavaScript Now". I just got a directive from a panicked exec
calling for us to disable Javascript on all BROWSERS
immediately.
0 Votes
+ -
Wait for it...
SpikeyMike 15th Dec 2009
Next you'll get a directive to block all PDF's at the firewall.

I'm curious to see what a non-admin account on Windows does. I doubt it can do anything as it is a user-land application. I guess we'll see soon enough - the script-kiddies will be playing with this soon.
0 Votes
+ -
No problem on my Linux box
Linux Geek 15th Dec 2009
only windoze users feel the pain.
As always Linus is safe!
0 Votes
+ -
why? you couldn't figure out how to install adobe on your linux box?
IAmLegion20ll 15th Dec 2009
nt
0 Votes
+ -
re: why? you couldn't figure out how to install adobe on your linux box?
Firestem4 15th Dec 2009
Because most Linux distros have a PDF viewer by default that is not a piece of crap, bloated, and vulnerable software like Adobe Reader.
0 Votes
+ -
That's Not Entirely Certain.
bhartman36 15th Dec 2009
Here's the problem:

The exploit apparently uses the zlib libraries and javascript, both of which are present in Linux. Given that the Windows and Linux versions of Adobe Reader have essentially the same feature set, I don't think you can say with any degree of certainty that the same code (at least in terms of zlib and javascript) weren't used for both.

Of course, if you're running xpdf or something similar, it's no problem, but acroread might have the same issue.

By the way: I think Linus' biggest problem is probably keeping his blanket clean and searching for the Great Pumpkin. wink
0 Votes
+ -
Linus is safe?
Loverock Davidson 15th Dec 2009
Was this javascript going to attack him personally? silly
0 Votes
+ -
Yay!
AzuMao 15th Dec 2009
I'm glad it wasn't able to strangle him.
0 Votes
+ -
No problem on my Windows box.
Ceridan 16th Dec 2009
I dont have Adobe Reader...
and as always my Windows box is safe!..


PS: the attack is a javascript which is not platform specific, and having Javascript in PDFs is a stupid idea anyway.
0 Votes
+ -
The parsers for it are.
AzuMao 16th Dec 2009
And they're the problem, not the script itself.
0 Votes
+ -
this flaw affects all platforms
directory 16th Dec 2009
this flaw affects all platforms, linux included
0 Votes
+ -
RE: Adobe confirms PDF zero-day attacks. Disable JavaScript now
efsane Updated - 8th Apr 2011
Well done! Thank you very much for professional templates and community edition
sesli sohbet sesli chat

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix