Adobe issues advisory on new PDF vulnerability – patch due March 11 (UPDATE 3)

Update 3:

New attack vectors for this vulnerability are starting to crop up. Perhaps Adobe should push the patch out sooner than the 11th.

The newest Proof-of-Concept, thanks to Didier Stevens, explains how the PDF vulnerability can be exploited with no interaction on the part of the end user.

Using Windows Explorer Shell Extensions, Stevens created a direct path to exploitation that can be triggered by merely selecting a malicious PDF file. No need to open it, just click on it once, or hover over it with the mouse.

If the malicious file is in a folder and the Thumbnail option is set, the exploit could be triggered as well.

More information is here. (Video included)

Update 2:

There is more information on the recent PDF vulnerability discovered by the Shadowserver Foundation and confirmed by Adobe.

Researchers at Secunia have done additional testing on the vulnerability. As it turns out, disabling JavaScript will not prevent exploitation.

"Over the last couple of days, we have seen many sources recommend users to disable support for JavaScript in Adobe Reader/Acrobat to prevent exploitation. While this does prevent many of the currently seen exploits from successfully executing arbitrary code (as they rely on JavaScript), it does not protect against the actual vulnerability," Secunia said.

"During our analysis, Secunia managed to create a reliable, fully working exploit (available for Secunia Binary Analysis customers), which does not use JavaScript and can therefore successfully compromise users, who may think they are safe because JavaScript support has been disabled."

There is fourteen days left until Adobe pushes a patch for this issue. In the meantime, security experts as well as Secunia are warning users to show extreme caution when opening PDF files, regardless of whether or not they have disabled JavaScript.


The vulnerability research team at Sourcefire (of Snort fame) have issued a patch on their own for the Adobe PDF issue. This patch is not official, and ONLY for version 9 of Adobe Reader. If you are on earlier verions, such as version 8, then you will have to wait for a solution. More details of the patch can be found here.

Original story is below:

A new vulnerability in Adobe’s Acrobat Reader 9 and Acrobat 9, as well as earlier versions, has been discovered by the Shadowserver Foundation. Adobe issued an official advisory on Friday, and said it expects to patch the flaw on March 11, with updates to earlier versions to follow soon after.

“A critical vulnerability has been identified in Adobe Reader 9 and Acrobat 9 and earlier versions. This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system. There are reports that this issue is being exploited,” Adobe stated in the advisory.

PDF files are a popular target for online criminals, as they are almost universal methods of documentation and communication within both the business and private communities.

“The potential of an exploit like this is only limited by the imagination [of] malicious users,” said Jonathan Leopando of Trend Micro. “It spreads the same way normal PDF files can be distributed - either as an e-mail attachment, or downloaded from Web sites.”

On Thursday, the Shadowserver Foundation went public with details on the vulnerability, including the fact it is being actively exploited in a limited scale.

“Right now we believe these files are only being used in a smaller set of targeted attacks,” the foundation outlined. “However, these types of attacks are frequently the most damaging and it is only a matter of time before this exploit ends up in every exploit pack on the Internet. As a result we are also not going to provide any specific details on how the exploit works despite the fact that information is known.”

The fix, until Adobe releases an official patch, is to disable JavaScript within Acrobat Reader and Acrobat products.

To do so, click edit, preferences, select JavaScript, and uncheck “Enable Acrobat JavaScript”.

Once the patch is released, Adobe urges customers to apply the patch immediately. In the meantime, the mitigation offered by disabling JavaScript will be the only course of action users can take.

Like this article? Please share on Facebook and give The Tech Herald a Like too!