Share
On Tuesday, Adobe pushed almost as many vulnerability fixes as Microsoft, smashing 29 bugs with a single release. The issues fixed will depend on the software version, but between Adobe Reader and Adobe Acrobat, there were plenty of flaws to go around.
Adobe squashes 29 vulnerabilities with single update.(IMG:Adobe)
The patches released by Adobe correct vulnerabilities on UNIX, Macintosh, and Windows platforms. Most of the vulnerabilities addressed in this quarterly update center on code execution flaws, thirteen of them to be exact, where malicious PDF files were used to distribute Malware or simply hijack a targeted system.
“Critical vulnerabilities have been identified in Adobe Reader 9.1.3 and Acrobat 9.1.3, Adobe Reader 8.1.6 and Acrobat 8.1.6 for Windows, Macintosh and UNIX, and Adobe Reader 7.1.3 and Acrobat 7.1.3 for Windows and Macintosh. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system,” Adobe said.
The recommendation from Adobe is simple, patch now or suffer. In their advisory on the quarterly update, Adobe said that everyone on Acrobat or Reader 9.1.3 or lower should upgrade to version 9.2. The same is to be said for users on versions 8.1.6 and 7.1.3 of Acrobat and Reader, who should be switching to versions 8.1.7 and 7.1.4.
Adobe has had to deal with attacks on their software all year long. Earlier this week, Adobe confirmed attacks on their PDF software, and promised patches to address them. There were patches in March that addressed flaws, which were being exploited for almost two months, patches in May for another round of PDF issues, and the Flash update in July.
While looking into this month’s patches from Adobe, we talked with Jeremy Conway, who is the Product Manager for NitroSecurity. Jeremy wrote an interesting paper on weaponizing PDF files. He shared this with us as part of our research.
“Enterprise environments have grown extremely comfortable and dependent upon the PDF for rendering items such as reports, articles, and documents that are normally only read and not edited. It is these assumptions and dependencies that are now being utilized against us to attack our infrastructures by criminal organizations and malicious code writers,” Conway explained.
He went on to say how that, in the last year, these malicious code writers have expanded their attack vectors from web based exploit kits into the application layers to hide their intentions and actions from network security detection technologies.
By incorporating the extensive functionality enabled with feature enriched PDF rendering applications, such as Adobe's PDF Reader, malicious code writers are able to create covert channels that enabled them with the ability to retrieve malicious payloads without any user interactions and/or notifications.
So what’s next? As Conway wrote, things will get worse before there is real progress.
“I believe the next logical step for malicious code writers is to take advantage of internal capabilities for rendering multimedia data. Attackers will begin to utilize the interconnection capabilities within PDF to facilitate a wider range of attacks and possibly embed entire PDF exploit packs inside a single PDF document,” he said.
Explaining this some, Conway said that a, “…PDF exploit pack would enable a malicious code writer to perform some simple operations within the PDF document structure to identify accessible multimedia applications and their version numbers. This information could then be utilized to pick an exploit that specifically targets a particular application and then performs an attack on that application.”
In addition, he thinks that future PDF attacks will target existing PDF documents on a user’s system.
“The PDF structure allows for updates to be performed in an incremental style. This enables updates to be appended to the end of the PDF without changing the original appearance or functionality of the PDF. By appending malicious code to our trusted and locally stored PDF documents malicious code writers would likely increase the exposure of their malformed intentions without us being aware of it.”
If anything, while this seems far reaching, it is possible to prepare ahead of time for these types of attacks, Conway noted. There is no reason “to throw up our hands and surrender”.
“Think of this as you would a war for which the malicious code writers will most likely win a few battles and we will win a few battles, but in the end we hope that it is our technologies and security policies that enable us to win the war.”
The advisory from Abode for this month’s updates is here.
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Advertising
Comment on this Story