ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Adobe plugs PDF zero-day flaw in latest security makeover

By | January 13, 2010, 8:06am PST

Summary: Adobe has released a mega-update for its Reader and Acrobat software products to fix a total of eight documented security vulnerabilities.

Adobe has released a mega-update for its Reader and Acrobat software products to fix a total of eight documented security vulnerabilities.

The update comes with significant security improvements, including the on-by-default addition “Enhanced Security,” a feature that provides a set of default restrictions and a method to define trusted locations that should not be subject to those restrictions.
First up, here are the security vulnerabilities patched with this update:

  • This update resolves a use-after-free vulnerability in Multimedia.api that could lead to code execution (CVE-2009-4324). This issue is being actively exploited in the wild; the exploit targets Adobe Reader and Acrobat 9.2 on Windows platforms.
  • This update resolves an array boundary issue in U3D support that could lead to code execution (CVE-2009-3953).
  • This update resolves a DLL-loading vulnerability in 3D that could allow arbitrary code execution (CVE-2009-3954).
  • This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2009-3955).
  • This update mitigates a script injection vulnerability by changing the Enhanced Security default (CVE-2009-3956).
  • This update resolves a null-pointer dereference vulnerability that could lead to denial of service (CVE-2009-3957).
  • This update resolves a buffer overflow vulnerability in the Download Manager that could lead to code execution (CVE-2009-3958).
  • This update resolves an integer overflow vulnerability in U3D support that could lead to code execution (CVE-2009-3959).

Adobe rates this a “critical” update on all platforms.  The flaws affect Adobe Reader 9.2 and Acrobat 9.2 for Windows, Macintosh and UNIX; and Adobe Reader 8.1.7 and Acrobat 8.1.7 for Windows and Macintosh.

These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system.

[ SEE: Adobe confirms PDF zero-day attacks. Disable JavaScript now ]

According to this document released alongside the patches, Adobe has turned on the Enhanced Security feature by default.

Enhanced security provides two tools designed to help you protect your environment: a set of default restrictions and a method to define trusted locations that should not be subject to those restrictions. In other words, you can either block dangerous actions altogether or else selectively permit them for locations and files you trust.

It also includes privileged location improvements, cross domain support, warning message and dialog improvements and the disabling of legacy multimedia support by default.

Adobe is also beta testing a new automatic updater for Reader and Acrobat.  By default, the updater will silently patch installations without user interaction.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Adobe Systems Inc., Adobe PDF, Adobe Acrobat, Vulnerability, Update, Adobe Acrobat Reader, Zero-day Bug, Enhanced Security, Security, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

37
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Adobe plugs PDF zero-day flaw in latest security makeover
efsane Updated - 8th Apr 2011
Well done! Thank you very much for professional templates and community edition
sesli sohbet sesli chat
View in thread
0 Votes
+ -
Keeping Reader-Java turned off
Tom12Tom 13th Jan 2010
I'm keeping Adobe Reader's Java option turned off, because it apparently isn't needed for the type of *.pdf documents that I read.
0 Votes
+ -
Don't you mean..
AzuMao 13th Jan 2010
..uninstalling Adobe Reader? You do get that only
some of these attacks rely on Adobe's
javascript engine, right?
0 Votes
+ -
You do get...
Tom12Tom 14th Jan 2010
"You do get that only some of these attacks rely on Adobe's javascript engine, right?"

Yes, I do.

Every popular program and operating system gets attacked, and patched, and attacked, and patched. That's just the norm.
0 Votes
+ -
No, it's not.
AzuMao 14th Jan 2010
The problem isn't them being attacked, it's them
being made broken. For example, if they made
Reader so that it didn't do things like execute arbitrary ******* code for no reason, it would
be safe to use it. But noooo... that's just
asking tooooo much.


Notepad falls under your list of "popular
programs", surely? Yet it doesn't run random
code in the file. Nope. Sadly, most programmers
nowadays are in too much of a hurry to make
anything more complicated than Notepad without
******* up big time. But that's not an axiom, it
isn't a fundamental intrinsic problem with
programs/OSs/computers in general. It's just a
problem with ****** companies writing ******
code.
0 Votes
+ -
RE: Adobe plugs PDF zero-day flaw in latest security makeover
pibkac 13th Jan 2010
It would be nice if Adobe would update the packages available for corporate deployments when they provide patches like this. First you install a 25 MB package, then run the updater and download another 3-4 packages totaling 90+ MB by the time you are done.

As for their automatic updater, in a managed environment, do we really want every system going to the Internet and downloading a package?

And why does the reader need to be bloated to 35 MB anyways?
0 Votes
+ -
I think you missed something in the story...
riveroad 13th Jan 2010
There is a link to the Adobe site and from there it plainly links to the MSP file (AcrobatUpd930_all_incr.msp) for Acrobat Std/Pro. If you need 9.3 reader, simply download the new version of the software as there is no update. If the size is a problem, there are lots of other PDF viewers out there that are much smaller (with fewer features and fewer security issues).
0 Votes
+ -
Because..
AzuMao 13th Jan 2010
..Adobe is beyond hiring programmers to make their
programs.

Instead, they simply roll their heads back and
forth on the keyboard until, by some miracle,
working code is generated. This usually results in
dozens of millions of extra bytes of code.
0 Votes
+ -
Good one
Muttz 13th Jan 2010
You just about made coffee come out of my nose
0 Votes
+ -
Agreed 100%
lehnerus2000 13th Jan 2010
nt

lehnerus2000
0 Votes
+ -
That comment was great...
staggerleee 14th Jan 2010
Adobe programmers rolling their heads on the keyboard, and Adobe users banging their heads on their keyboards.
We spent this morning re-installing 9.2 on a terminal server used by 100+ users because yesterday Adobe got corrupted. Auto updates were disabled, so we are looking into if it tried updating via some other means...
0 Votes
+ -
Best solution, remove Adobe from your PC.
No_Ax_to_Grind 13th Jan 2010
Sorry but it offers nothing worth the headaches.
0 Votes
+ -
We agree on something, awesome!
AzuMao 13th Jan 2010
0 Votes
+ -
I too, agree
Zodarr 14th Jan 2010
and am using Foxit for a long time. Suits my needs perfectly.
Considering to check out Sumatra...
0 Votes
+ -
I heartily concur
Rodo1 13th Jan 2010
Adobe makes MS look like the most secure software in the world. not to mention that Adobe is the bloatware king hands down.
0 Votes
+ -
And just to backup my contention...
Rodo1 13th Jan 2010
I just got the "update." It was 60.3 MB and was a full new version, not what I'd consider an update. Sure glad I got rid of dialup!
0 Votes
+ -
Sadly...
PollyProteus 13th Jan 2010
For filling out some government forms published as forms in PDF format, I need to use Adobe.

I tried using FoxIt and while that worked great for reading, when I filled out a form and saved it, they watermarked the form, basically it said that to get unwatermarked forms, buy the pro package.

What I really wish Adobe would put more effort into is their flash player. That things sucks bigtime and yet 90% of the webpages I go to all "require" flash.
0 Votes
+ -
Adobe Free Reader won't save fill-in forms either
mystic100 14th Jan 2010
Sadly, free Adobe Reader (AR) doesn't let you save fill-in forms as well. When I came across that problem a few years ago (earlier AR versions), I looked for alternatives. The full Adobe product was about $500 while many alternatives were $100 or more. I only needed to save a few PDF forms, so I kept looking for a cheaper alternative. I finally found PDFill, http://www.pdfill.com/ . It did what I needed and has some nice free PDF tools in addition.
0 Votes
+ -
Think of the makers of pain killers
eric.jernigan 13th Jan 2010
If we took your advice the makers of Tylenol and Advil would lose business...

Seriously I agree, I recommended my users migrate to Foxit or Sumatra. Today's adobe update is just a headache away tomorrow's exploit...almost literally.
0 Votes
+ -
You forgot..
AzuMao 14th Jan 2010
..Prozac!
0 Votes
+ -
Ah, still using this non-term.
dgurney 13th Jan 2010
Year after year, never telling us WTF they think they mean by "zero day."
0 Votes
+ -
Zero day - wikipedia - look it up yourself!
Lovs2look 13th Jan 2010
The term derives from the age of the exploit. When a vendor becomes aware of a security hole, there is a race to close it before attackers discover it or the vulnerability becomes public. A "zero day" attack occurs on or before the first or "zeroth" day of vendor awareness, meaning the vendor has not had any opportunity to disseminate a security fix to users of the software.[1] (In computer science, numbering often starts at zero instead of one.)
0 Votes
+ -
True but not true (!?)
eric.jernigan 13th Jan 2010
UsersRevil, you are spot on. What makes information security different within the computer science discipline is that definitions are popularity based in their meanings example:

Hacker- someone who like to break down a resource(hardware/software) to understand or improve upon it

Cracker- douche-bag who attacks systems/people/info for personal gain with the intent of harm

Since few people use "cracker" in a sentence without cheese in it...hacker wins the definition

You should see how pen-test gets butchered. Until a better "know your terminology" campaign starts expect to see more mighty morphing terms.
0 Votes
+ -
Ditch Adobe
Lovs2look 13th Jan 2010
I can't stand the security nightmare and the bloated size for a friggin PDF reader! 60 odd megabytes...come on!
Foxit won my heart and the 100 desktops that I manage with simple elegance.
Now if someone else (listen up Foxit) would come up with a flash/shockwave player that was lean and secure, I would jump ship in a heartbeat. Surely it can't be that hard...can you tell I'm not a programmer?
0 Votes
+ -
I agree - Ditch Adobe
DocNasty 13th Jan 2010
Honestly, I don't know why people use this junk software. I blame MAC commercials personally. Someone said that Macs were best for audio and visual, and it was adobe software, now people think it's industry standard.

Anyways, yes, i agree.. Ditch Adobe. Their flash player sucks. Even after 5 versions since it's discovery it still caches streaming audio, unless you pay 1000s of dollars for their MX Server.
0 Votes
+ -
Too late on fixing this
DocNasty 13th Jan 2010
Actually, this is just a small part of Adobe's bigger problem... But lets focus on what they're trying to patch up.

They're trying to patch malformed pdf files that carry destructive payloads like the updown virus. These PDF files are delivered thru hacked/corrupted flash banner ads on most websites that use banner services.. (ow.ly, isohunt, etc) The pdf is served to your system, automatically opened on your system in your browser where your system is ravaged.

The real way to fix this is to not allow adobe reader to automatically open on your system. The problem, is that it hooks into way too much stuff, so i may have someone serve me a pdffa file, and adobe will grab it and pick it up, and try to execute it. I agree tho.. that uninstalling Adobe completly from your system is the best way to go. Consumer wise, this should have been fixed a long time ago.. 3 versions ago.

So, this is just a minor fix and mostly reactionary. What both Microsoft/Google/Firefox should do.. and work with the vendors like Adobe/etc and only allow the 'ocx' files like adobe reader, to not interact with the local system. Virtualization is key now, use it.
0 Votes
+ -
RE: Adobe plugs PDF zero-day flaw in latest security makeover
d.richardson@... 13th Jan 2010
What are better alternatives to Adobe? I've wondered if it was riding on the historical laurels, but haven't seen alternatives. How about a good review of products that parallel Adobe (Acrobat, Photoshop represent important functionality.
0 Votes
+ -
RE: Adobe plugs PDF zero-day flaw in latest security makeover
d.richardson@... 13th Jan 2010
What are better alternatives for Acrobat and Photoshop? The better media player is also in the search pattern.
0 Votes
+ -
Alternatives
DaveN_MVP 13th Jan 2010
I'm testing Nitro PDF Professional, which costs a third the price of the cheapest Acrobat version. Although I haven't had a chance to really put it through its paces, so far I'm as satisfied with Nitro as I am with Acrobat.

I need something more than just Reader, but for those looking to just read PDF files, Foxit is highly regarded by its users.

And for media players, I recommend Zune (you don't need a Zune device to use the software). Other than that, there's VLC. I think Zune and the built-in Media Player in Windows Vista and 7 do a better job of playing most files, but I've been very satisfied with how VLC handles damaged files, or those requiring odd codecs, etc.

While I find the features in Acrobat to be excellent, we all know their security has been abysmal. Their support is iffy, and they will release a new version and then leave many bugs unfixed in the prior ones, as a way to force you to upgrade. There are still so many bugs in 7 that they gave up on it, and released 8 and 9 right on top of each other.
0 Votes
+ -
WMP 12, blech!
lehnerus2000 14th Jan 2010
I found WMP 12 to be awful (for music, I didn't try it with video). I used "Turn Windows features on or off" to get rid of it.

I use:
Winamp for music on Windows 7.
WMP 10 for music on XP (you have to install it before SP2 and/or SP3 though).
Media Player Classic for video on XP and Windows 7.
Foxit Reader for PDFs on XP and Windows 7.

lehnerus2000
0 Votes
+ -
RE: Alternatives
ep-man 15th Jan 2010
There's also SumatraPDF, DaveN_MVP:
http://blog.kowalczyk.info/software/sumatrapdf/index.html
portable, lightweight and fast. even loads faster than Foxit Reader. For those who have already dumped Adobe Reader, get Sumatra PDF Viewer from the creator's web site.
0 Votes
+ -
RE: Adobe plugs PDF zero-day flaw in latest security makeover
Muttz 13th Jan 2010
You just about make coffee come out of my nose...
0 Votes
+ -
Ooops
Muttz 13th Jan 2010
Supposed to be a reply to message 5
0 Votes
+ -
RE: Adobe plugs PDF zero-day flaw in latest security makeover
Gis Bun 14th Jan 2010
So they decided to release full installation updates for Adobe Readers 8 & 9. Meanwhile, another patch for the full/paid copies. So if you buy a copy of Acrobat 9 Pro Extended you need to download over 300 MB in 4 updates [and more to come!] and install each update one at a time [with at least one reboot [required?] during the updates. Why can't they just release a 9.0.0 to 9.3.0 update and make life easy?
0 Votes
+ -
Adobe only partly to blame
*sigh* 15th Jan 2010
The problem is PDF can contain many things: jpeg, PNG, javascript, flash, quicktime, JBIG, JP2K, U3D, etc. Many of these are open source libraries (take the WebKit javascript engine for example which everyone is harping on). When a security vulnerability is discovered in something open source, people get patches quickly automatically for their OS, browser, and application suite, but do they auto-update Adobe Reader? Meanwhile hackers have a roadmap with the open source before and after the code fix.

Microsoft believes the majority of 'BOTs are computers with auto-update off. So part of the blame are users who are wide open. A good fraction of those will never get the message and continue running a 5 year old version "because it works fine."

Adobe needs to make their updater streamlined and default to auto-update for security fixes.

Finally, the computer industry needs to recognized threats and patches are now part of the fabric of computing and provide a built-in facility to patch everything from BIOS to apps. It's ridiculous how many little apps hover in the tray to update Java, drivers, apps, tools, etc. Please, one updater to rule them all.
0 Votes
+ -
Why do I need JavaScript to read my bank statements?
Earthling2 Updated - 17th Jan 2010
Similarly, I don't expect videos in my bills.

This is the principal problem with Adobe. Instead of developing a good application that legibly renders equivalents of paper documents on all platforms, Adobe crams an equivalent of an OS into an application, enables all features by default, adds Air that I don't need, tries to download it with what appears to be a third party download manager and sticks the Google toolbar in the process.

Even worse, I can't just disable JavaScript once. I have to do that in every account.

Even more silly: it keeps reinstalling the desktop shortcut each time it does an update, and only an admin can remove it.
0 Votes
+ -
To..
AzuMao 18th Jan 2010
..protect the children, of course!


The more computers suck, the less likely people
will use them.

The less people use computers, the more people
exercise.

The more people exercise, the less people get
diabetes.

Children are people too.

Thus, it is to save children from getting
diabetes and dying.

Do you disagree that children are people too?
0 Votes
+ -
RE: Adobe plugs PDF zero-day flaw in latest security makeover
efsane Updated - 8th Apr 2011
Well done! Thank you very much for professional templates and community edition
sesli sohbet sesli chat

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix