Don't open that PDF: There's an Adobe Reader zero-day on the loose

Don't open that PDF: There's an Adobe Reader zero-day on the loose

Summary: After Java and Flash, now PDF Reader is under attack, with one security firm warning Reader users to avoid PDFs.

TOPICS: Security

Security researchers are warning users not to open PDFs from unknown sources in Adobe Reader after finding a PDF zero-day being exploited in the wild.

Researchers at security firm FireEye claimed on Tuesday they had seen the attack PDFs successfully exploit the latest versions of Adobe's PDF Reader for Mac, Linux and Windows.

"Today, we identified that a PDF zero-day is being exploited in the wild, and we observed successful exploitation on the latest Adobe PDF Reader 9.5.3, 10.1.5, and 11.0.1," FireEye researchers Yichong Lin, Thoufique Haq, and James Bennett noted in a blog post.

The researchers were referring to the latest updates for Adobe Reader XI 11.0.01 for Windows and Macintosh, Adobe Reader X (10.1.5) for Windows and Macintosh, and Adobe Reader 9.5.3 for Windows, Macintosh and Linux, which Adobe released in January to fix 27 critical vulnerabilities in older versions.

"Upon successful exploitation, [the exploit] will drop two DLLs [dynamic link libraries]. The first DLL shows a fake error message and opens a decoy PDF document, which is usually common in targeted attacks. The second DLL in turn drops the callback component, which talks to a remote domain," FireEye said.

FireEye says it has submitted the sample to Adobe's security team and, without a new patch available from the company, is warning users not to open any unknown PDF files until it receives confirmation.

Adobe has confirmed it is looking into the reports. "Adobe is aware of a report of a vulnerability in Adobe Reader and Acrobat XI (11.0.1) and earlier versions being exploited in the wild. We are currently investigating this report and assessing the risk to our customers. We will provide an update as soon as we have more information. Please continue monitoring the Adobe PSIRT blog for the latest information," it said in a blog post on Tuesday.

The reported Reader zero-days come hot on the heels of two Flash Player zero-days that were being exploited by attackers in spear-phishing campaigns, and for which Adobe issued out of band fixes last week. 

Those attacks relied on SWF Flash files embedded in Microsoft Word documents, according to analyses by FireEye and fellow security firm Alien Vault. Another attack aimed at Mac users hosted malicious Flash files on a website.

Adobe yesterday updated Flash Player with a new Click to Play anti spear-phishing feature to prevent embedded Flash files from automatically executing when users open documents in Office 2008 and earlier. The move brings protected mode features already available in Office 2010, which asks users for permission to run Flash embedded within documents.

Topic: Security

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • What about alternative readers?

    I'm curious whether these exploits are specific to the Adobe Reader, or to all readers. There are a number of good alternatives, such as PDFXchange Viewer, PDF Architect, and Sumatra that can be used under the assumption that they are not subject to the exploits on the Adobe readers. Am I delusional or are they really safer?
    • Very Good Question!

      Few if any of these reports bother to mention whether the exploit is taking advantage of a weakness of the protocol, or if it is a weakness of the implementation only that is exploited.
  • Enough Already!

    There's another exploit out there.
    SO WHAT?
    Is the sky falling?
    Anyone got hit?
    (Same question for the apocalypse Java exploit)
    • Ahem! Yes, it IS important!

      Newsflash: just because you don't see the importance doesn't mean it isn't there. This is an important indicator of just how insecure Adobe software really is, that they are as bad as Microsoft about it, since both they and Microsoft have been allowing security problems to grow in their code for years.
    • Anyone got hit?

      Hell yeah, It's just Facebook and Google devs... is it scary enough for you, Mister Computer Wizz???
  • Enough is enough!

    When do we start using drones to take out these hackers? I am so past ready to see video of these thieves getting blown to smithereens!
  • Foxit reader

    Is the alternative pdf reader from Foxit subject to the same attack?

  • Sumatra V2.2.1 subject to this?

    I walked away from Adobe a couple of years back because they just assume that my machine is their machine when applying updates. Sumatra handles many more file types as well. It is subject to this problem?
  • This is why the Windows 8 reader apps are good

    They run in AppContainer (whether it's the Microsoft-provided one or the Adobe version in the Store).
    • Didn't knew

      Thanks for sharing the info!
  • adobr reader

    Good results with fox-it and Google reader i quit using adobe reader a couple of yrs ago.
    preferred user
  • Prehistoric Dead Fossils

    Is this the best we can do? I mean really, it's starting to sound like it also has a smell of rotting code that attracts other rotten code. It just never goes away.
  • Preview - on the Mac

    As others have pointed out, there are a myriad of alternative readers out there. On the Mac, the built-in Preview application is all that I ever use and have for years.
  • Garbage, garbage, & more garbage . . .

    I dumped Java years ago, and recently uninstalled Flash as well. Java has outlived its usefulness (if it ever had any given its problems) and Chrome has Flash running within it, properly sandboxed and tamed. YouTube still runs mostly even without Flash on account of HTML. Will I dump Adobe's PDF Reader? I'm not sure yet. I'm also not sure if I trust some of the other prgrams out there enough to protect me.
  • Who's accusing who . . . again

    This is the latest game played by the big software vendors. Java was fine until it was bought by Oracle then suddenly it's an open door to hackers. Microsoft attempted to completely disable Java in Windows 2000. The easiest human vulnerability to play on is their paranoia about security with that headline grabbing word 'Virus'. My message to the big vendors is "spend the money on fixing your bugs and improving you software".
  • Linux and Mac also vulnerable?

    "Upon successful exploitation, [the exploit] will drop two DLLs [dynamic link libraries]. The first DLL shows a fake error message ...."

    Sorry but both Linux and Mac will not run Windows DLLs... So even if your PDF reader is vulnerable, the payload will not run on Linux or Mac. Better fix the real zero day problem, Windows ;)
    Johan Safari
    • You are smart man

      thankfulness that the payload is dll and can't be any other type of file. this truly make my apple safe now. thankfulness to you. I was worried but now I feel warm and snuggly again.
      Burger Meister
    • So it's all Microsoft's fault - again ---- NOT!

      It really annoys me that everyone seems to blames Microsoft and Windows. Since Vista, and with each subsequent release of Windows, security has improved and the attack vectors have become less and less - but you simply can't stop other applications having exploits, unless you want them, to do absolutely nothing or for the system not be connected to the Internet.

      If you look at the investment Microsoft have made in re-engineering their code to be more secure and in improving their processes to actively fix anything that has got missed, then it puts most if not all of the other companies to shame.

      As for Linux and Mac machines, it is not difficult to see how equivalent payloads could be dropped into those machines in by this approach, so it is dangerous to assume that the problem is only relevant for Windows machines without actually knowing what it is actually doing.

      After all, it just goes to show that, if one target (Windows) continues to get more and more protected, then attackers will go for other widely used components to try to achieve the same thing - witness Java, Flash as well as this.
    • Probably...

      you're already infected and you'll never know! Hubris is the worst (Linux or Mac) user's sin...well, the second worst, because the first is carelessness!
  • That is unpossible

    "successfully exploit the latest versions of Adobe's PDF Reader for Mac, Linux and Windows." they told me at store the no apple machine can get bad virus badness. How to clean my system?
    Burger Meister