New Adobe PDF zero-day under attack

New Adobe PDF zero-day under attack

Summary: Adobe today sounded an alarm for a new zero-day flaw in its PDF Reader/Acrobat software, warning that hackers are actively exploiting the vulnerability in-the-wild.

SHARE:
TOPICS: Security
35

Adobe today sounded an alarm for a new zero-day flaw in its PDF Reader/Acrobat software, warning that hackers are actively exploiting the vulnerability in-the-wild.

Details on the vulnerability are not yet public but the sudden warning from Adobe is a sure sign that rigged PDF documents are being used by malicious hackers to take complete control of machines with the latest versions of Adobe Reader/Acrobat installed.

Here's Adobe's warning:follow Ryan Naraine on twitter

A critical vulnerability exists in Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh. This vulnerability (CVE-2010-2883) could cause a crash and potentially allow an attacker to take control of the affected system.There are reports that this vulnerability is being actively exploited in the wild.

Adobe is in the process of evaluating the schedule for an update to resolve this vulnerability.

Ominously, Adobe said it cannot offer any pre-patch advice to help users thwart the attacks.

Unfortunately, there are no mitigations we can offer. However, Adobe is actively sharing information about this vulnerability (and vulnerabilities in general) with partners in the security community to enable them to quickly develop detection and quarantine methods to protect users until a patch is available. As always, Adobe recommends that users follow security best practices by keeping their anti-malware software and definitions up to date.

An Adobe spokeswoman described the attacks as "limited" but warned that that could change with the availability of public exploit code.   She said the company was notified of the attacks yesterday (Tuesday September 7, 2010) via information from a private partner company.

Affected software includes:

  • Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX
  • Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh

The next batch of Adobe Reader/Acrobat patches is scheduled for October 12, 2010 but it is likely the company will ship an out-of-band update for this issue.

UPDATE:  A sample PDF from the attack is publicly available.  It targets Windows users, affects Acrobat 8 and 9, exploits multiple versions at once, and bypasses DEP and ASLR.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

35 comments
Log in or register to join the discussion
  • Exactly why Flash needs to go...

    PDF and Flash and great formats, but the closed nature of both formats and the fact that the whole world has to wait for a single company to address the issue (instead of the browser teams and OS teams independently working on solutions) makes me for one very nervous. It's exactly this level of dependence on a single company that makes me think Jobs/Apple was right to not put Flash into iOS, and makes me very worried about Android now that they HAVE put Flash into their OS (especially considering how slowly patches for mobile OS's come out compared to desktop OS's).
    timothyt1
    • RE: New Adobe PDF zero-day under attack

      @timothyt@... <br><br>PDF is not closed.<br><br><a href="http://en.wikipedia.org/wiki/Adobe_PDF" target="_blank" rel="nofollow"><a href="http://en.wikipedia.org/wiki/Adobe_PDF" target="_blank" rel="nofollow">http://en.wikipedia.org/wiki/Adobe_PDF</a></a><br><br><a href="http://www.adobe.com/devnet/pdf/pdf_reference.html" target="_blank" rel="nofollow"><a href="http://www.adobe.com/devnet/pdf/pdf_reference.html" target="_blank" rel="nofollow">http://www.adobe.com/devnet/pdf/pdf_reference.html</a></a>
      dragosani
      • RE: New Adobe PDF zero-day under attack

        @dragosani <br>Don't bother...he'll just report you as spam too!

        Update! Guess the moderator saw that it wasn't spam!
        My post came back!
        wizard57m-cnet
    • Say what?

      @timothyt@... quote "It's exactly this level of dependence on a single company that makes me think Jobs/Apple was right to not put Flash into iOS, "<br>OK, let's forget that this blog post didn't mention Flash at all and get that out of the way! end quote<br>The PDF vulnerability is also cross-platform. You do know what that means, don't you? Here..."Heres Adobes warning:<br><br>"A critical vulnerability exists in Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh."<br><br>OK, got that out of the way. Finally...you rant against dependence on a single company, and to support your position you use Apple as your example? Is Apple now made up of more than a single company? Closed nature of Flash and PDF? Ever hear of OSFlash for Flash or PDFCreator for PDFs?<br>ps...use the "search" function on your iPad prior to posting.
      wizard57m-cnet
    • This has NOTHING to do . . .

      @timothyt@...

      With Flash. And as for .pdf, there are several readers you can use, you don't have to use Adobe's. There is Foxit Reader, and Nitro PDF Reader, both of which are good.

      As for the closed format issue, I suggest you read this before sticking your foot any further down your throat:

      http://en.wikipedia.org/wiki/Portable_Document_Format

      And one more thing:

      Stop Trolling!!! There are better ones than you, and they don't even have to resort to sounding like a 5 year old ( most of the time anyway).
      JLHenry
    • Exactly why ZD need to go

      horseshit terms like "zero day", used over and over for years but never defined.<br><br>We have an ample language, yet these "journalists" seem unable to communicate with it.

      This is reminiscent of L.A.'s "red flag alerts". WTF is that supposed to mean? "Holy crap, dudes, RED FLAGS are raining down from the heavens!"
      dgurney
  • Adobe reader vs Foxit

    Big fan of Foxit. Are they under the same vulnerabilities as Adobe or just not enough hacker interest to try?
    powaymojo
    • Foxit

      @powaymojo
      I don't know either, but the last serious vulnerability did affect Foxit (one of my favs too). BRB (checking Foxit web site) Didn't see anything on the Foxit site, not on front page anyhow.
      wizard57m-cnet
      • Foxit guys fix the problem in days

        Adobe took months.
        wackoae
    • RE: New Adobe PDF zero-day under attack

      @powaymojo Yes, they do have some of the same (if not the same) vulnerabilities as Adobe. HOWEVER, they are also a much smaller application so are easier to fix.
      Lerianis10
    • RE: New Adobe PDF zero-day under attack

      @powaymojo

      I just had a user with Foxit Reader that was infected. It doesn't seem limited to Adobe.
      audidiablo
  • RE: New Adobe PDF zero-day under attack

    the story does not tell me exactly how this is done. if they would be more explicit in the information i would be able to determine how to protect myself. does this mean, i cannot open any pdf file or send one??
    ranchgirl2
  • RE: New Adobe PDF zero-day under attack

    I really would like to know if this an Adobe only problem or a general PDF reader problem, there are many of us who got rid of cluttered and overloaded Adobe reader a long time ago and use FoxIt PDF or something else.
    malcarada
  • Oh the humanity.

    Folks if you are like me, when you read today's Adobe flaw headline, you mutter, 'who cares?'.

    Why? Because it doesn't matter if:

    o You use Ubuntu with AppArmor profiled Evince (PDF reader)
    o Or your Ubuntu Windows VM instance is set to 'immutable'

    The latter makes anything that *may* get a toehold in your Windows VM session get thrown away when you shutdown the VM. It returns to its original pristine (immutable) state.

    No worries. Be happy.

    Ubuntu Linux: The safest operating system on the planet.

    I stake my reputation on it.
    Dietrich T. Schmitz, ~ Your Linux Advocate
    • RE: New Adobe PDF zero-day under attack

      @Dietrich T. Schmitz, Your Linux Advocate <br><br>You forgot:<br><br>Why? Because it doesn't matter if:<br><br>-You use any of the alternative, more efficient, free PDF Readers,<br><br>or -You remain on reputable websites and are responsible in your usage...<br><br>...<br><br>You're practically a legend around these boards now, my man. However, no one is switching to Ubuntu. The most you might get is a dual or triple-boot configuration (I've dual-booted with XP and Ubuntu 10.4...although now dbing with 7 and XP), with most computing done via Windows 7/XP... <br><br>You're still very enjoyable to read...if only because of your adamant nature...<br><br>Happy Posting!!
      GSystems
    • RE: New Adobe PDF zero-day under attack

      @Dietrich T. Schmitz, Your Linux Advocate

      Shut up WILL YOU?
      shellcodes_coder
    • RE: New Adobe PDF zero-day under attack

      @Dietrich T. Schmitz, Your Linux Advocate

      Ironically I must agree mostly... Linux is quite safe and Ubuntu us quite friendly although those dolts need to put the min/max/close back without me having to gconf-edit it back. On the other hand wasn't it Linux that had a virus in their repository for over half a year without notice as they bear almost the same arrogance of security as Apple users? Furthermore being based off Unix same with Apple wouldn't it be possible to be vulnerable? If it is PDF alone as an issue it wouldn't be irrelevant what reader you use?
      audidiablo
      • RE: New Adobe PDF zero-day under attack

        @audidiablo
        Without knowing the nature of the vulnerability, it could be any PDf reader that was potentially at risk. Someone above said FoxIt was affected also, in which case it could be a fundamental problem affecting all platforms (including Linux with AppArmor; OSX has comparable protection, and it is affected along with other UNIX versions of Reader), although the payload is most likely to target Windows. The Linux zealot's post above is too stupid to reply to directly, showing the kind of ignorance Mac users have been accused of in the past.
        msandersen
  • The best defense

    The best defense is not to open any new PDFs. Period. After about 24 hours, then do a deep scan on all those new PDFs before opening them, or if you know the source that created the PDFs, ask them to re-create their PDFs and test them before sending them out. Some security software can detect potential attacks before there are official "antidotes" (such as Blink from eEye Digital Security). But then, you could just delete all unsolicited PDFs and never open them.

    Just as a side note, I downloaded and opened a document in the .djvu format yesterday, and it tried to send a message out to China, which my copy of Blink blocked and quarantined. PDF may not be the only format to be infected with this attack.
    bionicbub
    • RE: New Adobe PDF zero-day under attack

      @bionicbub

      Quick Question (not trolling)... Why do you propose waiting 24 Hours with a locally stored PDF before opening it?

      Haven't heard of Blink, but Microsoft Security Essentials does a good job for me (stopping attacks before downloads complete--essentially scanning the file before it's stored locally)...even cleans out the temp file that may be created by a rogue program...

      And,

      If you know the source of the PDF, and can verify that the person sent it to you...possibly through a follow-up email from them, or an included note that relates to the information they're sending, why would you ask them to recreate the PDF? A simple phone call should resolve any doubt, no?

      Just engaging since no one else has...

      Happy Posting!!
      GSystems