Unpatched PDF bug poses growing threat, say researchers

Recent exploits evade Adobe's countermeasures; patch not ready.

An unpatched bug in popular PDF viewing and editing applications is much more dangerous than first thought, according to security researchers who have created exploits that sidestep Adobe's defensive recommendations.

Adobe Systems Inc. has known about the vulnerability in its Reader and Acrobat software since mid-January, but will not patch the problem until next Wednesday, March 11.

The bug first made news two weeks ago, when Adobe confirmed the problem and pegged it as critical. Within days, other reports surfaced that in-the-wild attacks have exploited the flaw since early January.

Although Abode recommended that users disable JavaScript in Reader and Acrobat to protect themselves from the current attacks, other researchers now say that such a move may not help.

Last week, a researcher who works at the Danish vulnerability tracker Secunia said he had come up with an exploit that didn't rely on JavaScript. "During our analysis, Secunia managed to create a reliable, fully working exploit which does not use JavaScript and can therefore successfully compromise users who may think they are safe because JavaScript support has been disabled," Carsten Eiram, chief security specialist, said in an entry to the company's blog.

On Tuesday, David Aitel, the founder and chief technology officer of Immunity Inc., made the same claim. "Things like this are harder than they look," he said in a message to his Dailydave security mailing list. "Pablo and Kostya had to work quite a bit on reliability every step of the way. But the Acrobat JBIG exploit now works nicely without any JavaScript heap spray." The exploit has been added to CANVAS, Immunity's commercial penetration testing product.

The next day, Wednesday, Belgian security researcher Didier Stevens said he also had crafted an exploit that triggers the bug without requiring JavaScript, and backed up his claim by publicly posting proof-of-concept attack code. His exploit works in the background, and doesn't require that a user actually open a malformed PDF file.

"Under the right circumstances, a Windows Explorer Shell Extension will read the PDF document to provide extra information, and in doing so, it will execute the buggy code and trigger the vulnerability...just like it would when you would explicitly open the document," Stevens said in a blog post.

Adobe has acknowledged that its advice to disable JavaScript wouldn't be a panacea. In an interview last week, Brad Arkin, Adobe's director for product security and privacy, admitted that only the forthcoming patch would completely protect users. "Disabling JavaScript does not provide a full mitigation," Arkin said. "It protects against one form of attack. To the best of our understanding, there's no product configuration that can completely mitigate the threat."

Arkin also defended Adobe's patching pace, which has come under fire as being too sluggish. "We were contacted by one of our partners on Jan. 16 when they shared an exploit that they had found in the wild," he said. "That kicked off our investigation and we began working on a fix immediately."

Adobe plans to patch Reader and Acrobat 9 next week, and will follow that with fixes for Versions 7 and 8 of both applications on March 18. "We're doing everything we can, and we intend [meet] to those deadlines," said Arkin.

Some security researchers have urged users to do more than turn off JavaScript in Adobe Reader. "From my point of view, Adobe Reader has become the new IE," Mikko Hypponen, chief research officer at Helsinki-based F-Secure Corp., said in a blog entry last week. "For security reasons, avoid it if you can."

Adobe has said it will post a notification on its security site when it issues patches next week.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags pdf bug

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Show Comments


James Cook University - Master of Data Science Online Course

Learn more >


Victorinox Werks Professional Executive 17 Laptop Case

Learn more >



Back To Business Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?