Unpatched PDF bug poses growing threat, say researchers

Recent exploits evade Adobe's countermeasures; patch not ready.

An unpatched bug in popular PDF viewing and editing applications is much more dangerous than first thought, according to security researchers who have created exploits that sidestep Adobe's defensive recommendations.

Adobe Systems Inc. has known about the vulnerability in its Reader and Acrobat software since mid-January, but will not patch the problem until next Wednesday, March 11.

The bug first made news two weeks ago, when Adobe confirmed the problem and pegged it as critical. Within days, other reports surfaced that in-the-wild attacks have exploited the flaw since early January.

Although Abode recommended that users disable JavaScript in Reader and Acrobat to protect themselves from the current attacks, other researchers now say that such a move may not help.

Last week, a researcher who works at the Danish vulnerability tracker Secunia said he had come up with an exploit that didn't rely on JavaScript. "During our analysis, Secunia managed to create a reliable, fully working exploit which does not use JavaScript and can therefore successfully compromise users who may think they are safe because JavaScript support has been disabled," Carsten Eiram, chief security specialist, said in an entry to the company's blog.

On Tuesday, David Aitel, the founder and chief technology officer of Immunity Inc., made the same claim. "Things like this are harder than they look," he said in a message to his Dailydave security mailing list. "Pablo and Kostya had to work quite a bit on reliability every step of the way. But the Acrobat JBIG exploit now works nicely without any JavaScript heap spray." The exploit has been added to CANVAS, Immunity's commercial penetration testing product.

The next day, Wednesday, Belgian security researcher Didier Stevens said he also had crafted an exploit that triggers the bug without requiring JavaScript, and backed up his claim by publicly posting proof-of-concept attack code. His exploit works in the background, and doesn't require that a user actually open a malformed PDF file.

"Under the right circumstances, a Windows Explorer Shell Extension will read the PDF document to provide extra information, and in doing so, it will execute the buggy code and trigger the vulnerability...just like it would when you would explicitly open the document," Stevens said in a blog post.

Adobe has acknowledged that its advice to disable JavaScript wouldn't be a panacea. In an interview last week, Brad Arkin, Adobe's director for product security and privacy, admitted that only the forthcoming patch would completely protect users. "Disabling JavaScript does not provide a full mitigation," Arkin said. "It protects against one form of attack. To the best of our understanding, there's no product configuration that can completely mitigate the threat."

Arkin also defended Adobe's patching pace, which has come under fire as being too sluggish. "We were contacted by one of our partners on Jan. 16 when they shared an exploit that they had found in the wild," he said. "That kicked off our investigation and we began working on a fix immediately."

Adobe plans to patch Reader and Acrobat 9 next week, and will follow that with fixes for Versions 7 and 8 of both applications on March 18. "We're doing everything we can, and we intend [meet] to those deadlines," said Arkin.

Some security researchers have urged users to do more than turn off JavaScript in Adobe Reader. "From my point of view, Adobe Reader has become the new IE," Mikko Hypponen, chief research officer at Helsinki-based F-Secure Corp., said in a blog entry last week. "For security reasons, avoid it if you can."

Adobe has said it will post a notification on its security site when it issues patches next week.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags pdf bug

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Gregg Keizer

Gregg Keizer

Computerworld
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?