Adobe patches PDF bugs hackers already exploiting

Fixes 17 flaws in Reader and Acrobat, gets kudos for rush job

Adobe on Tuesday patched 17 critical vulnerabilities in Reader and Acrobat, including one that hackers have been using for nearly a month to commandeer PCs.

Another patch fixed a design flaw in the PDF format that attackers have been exploiting since April to dupe users into downloading a Trojan horse.

Adobe rushed the security update, which was originally slated to ship July 13, because exploit code went public and attacks using rigged PDF documents started showing on antivirus vendors' reporting systems four weeks ago. The company patched Flash -- hackers were tricking people into visiting malicious sites, then using the same bug to launch drive-by attacks -- on June 10.

Sixteen of the 17 fixed flaws were labeled with the phrase "could lead to code execution" in Adobe's advisory , the company's way of saying that the bug was critical and could be used to hijack machines. Like Apple , and unlike Microsoft , Adobe doesn't rate the severity of the vulnerabilities it patches. The seventeenth patch was also likely critical: "Arbitrary code execution has not been demonstrated, but may be possible," the advisory read.

Another fix addressed a design problem in the PDF document format that could be leveraged to con users into downloading malware. The bug, which was not strictly a security vulnerability, was first disclosed by Belgium researcher Didier Stevens in late March. Stevens demonstrated how a multi-stage attack using the PDF specification's "/Launch" function could successfully exploit a fully-patched copy of Adobe Reader. Stevens also showed how a Reader warning could be changed to further fool users.

Hackers have been using Stevens' technique in mass attacks to infect Windows PCs with bot Trojans.

With the updates to versions 9.3.3 and 8.2.3, Adobe changed Reader and Acrobat so that the /Launch function was disabled by default -- in earlier editions it had been turned on -- and fixed the bug in the warning dialog so hackers couldn't modify it. "Today's update includes changes to resolve the misuse of this command," said Steve Gottwals, an Adobe group product manager, on a company blog . "We added functionality to block any attempts to launch an executable or other harmful objects by default. We also altered the way the existing warning dialog works to thwart the known social engineering attacks."

Stevens confirmed the fixes in a post to his blog Tuesday. "Not only is the dialog box fixed, but the /Launch action is also disabled by default," he said.

Five of the 17 bugs Adobe patched Tuesday were reported by Tavis Ormandy, the Google security engineer who was at the center of a brouhaha earlier this month after he publicly disclosed a vulnerability in Windows when Microsoft wouldn't commit to a patching deadline.

Ormandy applauded Adobe's quick response in a Twitter message, comparing it to his experience with Microsoft. "I take back anything bad I've ever said about Adobe security, it's been a pleasure working with them," said Ormandy Tuesday. "Microsoft could learn from those guys."

Stevens echoed Ormandy's take. "Yup, agree and confirm, PSIRT [Adobe's Product Security Incident Response Team] people are nice to work with," he said on Twitter .

Other Reader bugs were reported by Nicolas Joly of the French firm Vulpen Security (four vulnerabilities), Microsoft's security group (one vulnerability) and Danish bug tracking company Secunia (two vulnerabilities).

Some security researchers have blasted Ormandy for going public with the Microsoft vulnerability while letting other vendors -- such as Adobe -- work on fixes for bugs he's reported and kept private.

"What we have is a guy who discloses responsibly when he feels like it, (i.e. it's a company he likes or it's too small to get him any publicity), but irresponsibly discloses when it's a company he doesn't like (or is big enough to gain him wide publicity)," argued Mary Landesman , a ScanSafe senior security researcher, in a blog two weeks ago.

Ormandy has said he took the Windows vulnerability and his exploit code public when negotiations with Microsoft over a patch deadline broke down five days after he reported the bug. Microsoft has promised a fix, but has not committed to a patch date.

Hackers are currently exploiting the flaw .

Adobe Reader and Acrobat for Windows, Mac and Linux can be downloaded using the links included in Tuesday's advisory . Alternately, users can use the programs' built-in update mechanism to grab the new versions.

In April, Adobe activated an automatic update mechanism included with recent versions of Reader and Acrobat. Users must manually switch on the automatic updating, however.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags MicrosoftAppleoperating systemssoftwareMalware and VulnerabilitiesCybercrime and Hacking

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Gregg Keizer

Gregg Keizer

Computerworld (US)
Show Comments

Brand Post

Shining a light on creativity

MSI has long pushed the boundaries of invention with its ever-evolving range of laptops but it has now pulled off a world first with the new MSI Creative 17.

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?