Unpatched PDF bug poses growing threat, say researchers

Recent exploits evade Adobe's countermeasures; patch not ready.

An unpatched bug in popular PDF viewing and editing applications is much more dangerous than first thought, according to security researchers who have created exploits that sidestep Adobe's defensive recommendations.

Adobe Systems Inc. has known about the vulnerability in its Reader and Acrobat software since mid-January, but will not patch the problem until next Wednesday, March 11.

The bug first made news two weeks ago, when Adobe confirmed the problem and pegged it as critical. Within days, other reports surfaced that in-the-wild attacks have exploited the flaw since early January.

Although Abode recommended that users disable JavaScript in Reader and Acrobat to protect themselves from the current attacks, other researchers now say that such a move may not help.

Last week, a researcher who works at the Danish vulnerability tracker Secunia said he had come up with an exploit that didn't rely on JavaScript. "During our analysis, Secunia managed to create a reliable, fully working exploit which does not use JavaScript and can therefore successfully compromise users who may think they are safe because JavaScript support has been disabled," Carsten Eiram, chief security specialist, said in an entry to the company's blog.

On Tuesday, David Aitel, the founder and chief technology officer of Immunity Inc., made the same claim. "Things like this are harder than they look," he said in a message to his Dailydave security mailing list. "Pablo and Kostya had to work quite a bit on reliability every step of the way. But the Acrobat JBIG exploit now works nicely without any JavaScript heap spray." The exploit has been added to CANVAS, Immunity's commercial penetration testing product.

The next day, Wednesday, Belgian security researcher Didier Stevens said he also had crafted an exploit that triggers the bug without requiring JavaScript, and backed up his claim by publicly posting proof-of-concept attack code. His exploit works in the background, and doesn't require that a user actually open a malformed PDF file.

"Under the right circumstances, a Windows Explorer Shell Extension will read the PDF document to provide extra information, and in doing so, it will execute the buggy code and trigger the vulnerability...just like it would when you would explicitly open the document," Stevens said in a blog post.

Adobe has acknowledged that its advice to disable JavaScript wouldn't be a panacea. In an interview last week, Brad Arkin, Adobe's director for product security and privacy, admitted that only the forthcoming patch would completely protect users. "Disabling JavaScript does not provide a full mitigation," Arkin said. "It protects against one form of attack. To the best of our understanding, there's no product configuration that can completely mitigate the threat."

Arkin also defended Adobe's patching pace, which has come under fire as being too sluggish. "We were contacted by one of our partners on Jan. 16 when they shared an exploit that they had found in the wild," he said. "That kicked off our investigation and we began working on a fix immediately."

Adobe plans to patch Reader and Acrobat 9 next week, and will follow that with fixes for Versions 7 and 8 of both applications on March 18. "We're doing everything we can, and we intend [meet] to those deadlines," said Arkin.

Some security researchers have urged users to do more than turn off JavaScript in Adobe Reader. "From my point of view, Adobe Reader has become the new IE," Mikko Hypponen, chief research officer at Helsinki-based F-Secure Corp., said in a blog entry last week. "For security reasons, avoid it if you can."

Adobe has said it will post a notification on its security site when it issues patches next week.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags pdf bug

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?