New Adobe PDF zero-day under attack
Summary: Adobe today sounded an alarm for a new zero-day flaw in its PDF Reader/Acrobat software, warning that hackers are actively exploiting the vulnerability in-the-wild.
Adobe today sounded an alarm for a new zero-day flaw in its PDF Reader/Acrobat software, warning that hackers are actively exploiting the vulnerability in-the-wild.
Details on the vulnerability are not yet public but the sudden warning from Adobe is a sure sign that rigged PDF documents are being used by malicious hackers to take complete control of machines with the latest versions of Adobe Reader/Acrobat installed.
Here's Adobe's warning:
A critical vulnerability exists in Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh. This vulnerability (CVE-2010-2883) could cause a crash and potentially allow an attacker to take control of the affected system.There are reports that this vulnerability is being actively exploited in the wild.
Adobe is in the process of evaluating the schedule for an update to resolve this vulnerability.
Ominously, Adobe said it cannot offer any pre-patch advice to help users thwart the attacks.
Unfortunately, there are no mitigations we can offer. However, Adobe is actively sharing information about this vulnerability (and vulnerabilities in general) with partners in the security community to enable them to quickly develop detection and quarantine methods to protect users until a patch is available. As always, Adobe recommends that users follow security best practices by keeping their anti-malware software and definitions up to date.
An Adobe spokeswoman described the attacks as "limited" but warned that that could change with the availability of public exploit code. She said the company was notified of the attacks yesterday (Tuesday September 7, 2010) via information from a private partner company.
- Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX
- Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh
The next batch of Adobe Reader/Acrobat patches is scheduled for October 12, 2010 but it is likely the company will ship an out-of-band update for this issue.
UPDATE: A sample PDF from the attack is publicly available. It targets Windows users, affects Acrobat 8 and 9, exploits multiple versions at once, and bypasses DEP and ASLR.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Exactly why Flash needs to go...
RE: New Adobe PDF zero-day under attack
RE: New Adobe PDF zero-day under attack
Update! Guess the moderator saw that it wasn't spam!
My post came back!
Say what?
This has NOTHING to do . . .
With Flash. And as for .pdf, there are several readers you can use, you don't have to use Adobe's. There is Foxit Reader, and Nitro PDF Reader, both of which are good.
As for the closed format issue, I suggest you read this before sticking your foot any further down your throat:
http://en.wikipedia.org/wiki/Portable_Document_Format
And one more thing:
Stop Trolling!!! There are better ones than you, and they don't even have to resort to sounding like a 5 year old ( most of the time anyway).
Exactly why ZD need to go
This is reminiscent of L.A.'s "red flag alerts". WTF is that supposed to mean? "Holy crap, dudes, RED FLAGS are raining down from the heavens!"
Adobe reader vs Foxit
Foxit
I don't know either, but the last serious vulnerability did affect Foxit (one of my favs too). BRB (checking Foxit web site) Didn't see anything on the Foxit site, not on front page anyhow.
Foxit guys fix the problem in days
RE: New Adobe PDF zero-day under attack
RE: New Adobe PDF zero-day under attack
I just had a user with Foxit Reader that was infected. It doesn't seem limited to Adobe.
RE: New Adobe PDF zero-day under attack
RE: New Adobe PDF zero-day under attack
Oh the humanity.
Why? Because it doesn't matter if:
o You use Ubuntu with AppArmor profiled Evince (PDF reader)
o Or your Ubuntu Windows VM instance is set to 'immutable'
The latter makes anything that *may* get a toehold in your Windows VM session get thrown away when you shutdown the VM. It returns to its original pristine (immutable) state.
No worries. Be happy.
Ubuntu Linux: The safest operating system on the planet.
I stake my reputation on it.
RE: New Adobe PDF zero-day under attack
RE: New Adobe PDF zero-day under attack
Shut up WILL YOU?
RE: New Adobe PDF zero-day under attack
Ironically I must agree mostly... Linux is quite safe and Ubuntu us quite friendly although those dolts need to put the min/max/close back without me having to gconf-edit it back. On the other hand wasn't it Linux that had a virus in their repository for over half a year without notice as they bear almost the same arrogance of security as Apple users? Furthermore being based off Unix same with Apple wouldn't it be possible to be vulnerable? If it is PDF alone as an issue it wouldn't be irrelevant what reader you use?
RE: New Adobe PDF zero-day under attack
Without knowing the nature of the vulnerability, it could be any PDf reader that was potentially at risk. Someone above said FoxIt was affected also, in which case it could be a fundamental problem affecting all platforms (including Linux with AppArmor; OSX has comparable protection, and it is affected along with other UNIX versions of Reader), although the payload is most likely to target Windows. The Linux zealot's post above is too stupid to reply to directly, showing the kind of ignorance Mac users have been accused of in the past.
The best defense
Just as a side note, I downloaded and opened a document in the .djvu format yesterday, and it tried to send a message out to China, which my copy of Blink blocked and quarantined. PDF may not be the only format to be infected with this attack.
RE: New Adobe PDF zero-day under attack
Quick Question (not trolling)... Why do you propose waiting 24 Hours with a locally stored PDF before opening it?
Haven't heard of Blink, but Microsoft Security Essentials does a good job for me (stopping attacks before downloads complete--essentially scanning the file before it's stored locally)...even cleans out the temp file that may be created by a rogue program...
And,
If you know the source of the PDF, and can verify that the person sent it to you...possibly through a follow-up email from them, or an included note that relates to the information they're sending, why would you ask them to recreate the PDF? A simple phone call should resolve any doubt, no?
Just engaging since no one else has...
Happy Posting!!