January 5, 2010

Adobe is planning to ship an update a week from today that fixes a critical vulnerability in its free and widely used PDF Reader program. Unfortunately, according to experts, criminal hackers are starting to step up attempts to exploit the flaw and install malicious software via poisoned PDFs.

The SANS Internet Storm Center warns that it is beginning to get submissions of malicious PDFs from experts in the field. It’s difficult to say how likely it is that your average Web user would encounter one of these nasty PDFs, although I would not be at all surprised to see the bad guys taking greater advantage of the situation between now and next Tuesday.

Fortunately, there is an easy way to mitigate the threat until Adobe patches the flaw: Disable Javascript. To do this, follow the instructions at Adobe’s advisory, under the “solutions” header at this page. If that tweak somehow creates a problem, you can always undo it. Or, read PDFs using another free reader program (I prefer Foxit Reader).

Longer term, it looks like Adobe is planning to include functionality that will silently patch security holes without any user action. Currently, Adobe Reader ships with an component that prompts users to install updates, but of course plenty of users ignore that warning over and over again. Given the ubiquity of this program, I see this as a positive development overall, provided Adobe doesn’t squander a security opportunity by pushing “extras,” such as third-party toolbars or trial programs.


12 thoughts on “Security Tweaks for Adobe Reader

  1. Tim

    For your enterprise users. Disabling JavaScript In Adobe will still prompt the user to enable JavaScript when opening a malicious document. If the user chooses “yes” then the document is opened with JavaScript enabled.

    Adobe recently implemented the JavaScript Blacklist Framework for mitigating specific attacks in the enterprise. (There is no reason a home user could not download the .reg and use it too). Just be aware, it will disable functionality that may also be legitimate. More info on the framework in reference to this vulnerability can be found here:

    http://kb2.adobe.com/cps/504/cpsid_50431.html

    I also cover this in more detail on my personal blog here:

    http://securitybraindump.blogspot.com/2009/12/adobes-0-face.html

    Anyways, congrats on the new site and a new start. I will be looking forward to your posts!

    Tim

  2. Moike

    If Adobe were serious about security, they’d disable Javascript out of the box.

  3. jjjdavidson

    You might point out to your readers that JavaScript must be disabled individually for each different user account on a computer (at least on Windows).

  4. Reid

    An easy solution for end users on Windows is to run the registry edit script found at the link below. You will need to know what version of Acrobat or Reader that is in use, and select the proper version when the script is run.

    http://kb2.adobe.com/cps/532/cpsid_53237.html

    “Adobe Reader and Acrobat JavaScript Blacklist Framework Mitigation for Security Advisory – APSA09-07

    Consumers – Windows: For end-users on Windows, download the compressed file, and double-click on the appropriate registry setting, based on your version of Reader or Acrobat, to populate the JavaScript Blacklist Framework. Adobe will automatically reset the value during the next update.”

    Mac and Linux users will need to follow the Enterprise instructions.

  5. Ben

    FYI FoxitReader has JS enabled by default so like others you have to manually disabled it.

  6. el io

    I hope the update process will be more secure than their javascript implementation.

    It might also be nice to have security software vendors include software that locks down popular 3rd party applications (and changes defaults like allowing javascript in PDFs). It seems an easier battle to reduce the surface area of attack than attempt to keep up with the army of malware coders finding new exploits.

  7. Frank

    If Adobe put security first JavaScript would be disabled out of the box. Unfortunately, this would probably inconvenience users to the point that they would complain.

  8. JPO

    I am just wondering how well Foxit polices its Reader to be sure there are no viruses and how long you think it will be before hackers try to find vulerabilities in its products. By the way, your new site is great. I especially like how clean it is; demonstrates how seriously you take your work.

    1. BrianKrebs Post author

      Thanks, and welcome to the site. This is a hard question to answer. Foxit ships updates just like Adobe; it seems to issue fewer security updates, but when they do they tend to fix known issues very quickly. http://www.foxitsoftware.com/pdf/reader/security.htm

      Foxit comes with a built-in updater, but I’m not sure that it auto-updates that reliably. You can run a manual update check from the “Help” menu, and see if it offers you a new version, and then if that version includes mention of anything security-related.

      As someone mentioned before, if you wish you can turn off Javascript in Foxit as well, going to Tools, Preferences, Javascript. Doing so in either Adobe or Foxit will eliminate some functionality, such as the ability to enter data into interactive PDF forms.

  9. Rick Zeman

    I’d like to a) be able to push these changes out via Group Policy. But, does Adobe have ADM(x) files for Acrobat? Nope. I’d like to update our Acrobat 9.0 via GP, also. I can do it…as long as I can do four NON-accumulative updates between that and 9.2. Lovely.

    Brian, I wonder what’s happening to the Post’s page views now that Slashdot, etc, are linking to here instead of to there….

  10. Paul

    I just found out that Acrobat 7 is also vulnerable to this bug.

    When the fix came out, it looked like Adobe Reader/Acrobat 8.x & 9.x were the only ones affected. According to http://www.adobe.com/support/security/bulletins/apsb10-02.html which points to http://www.adobe.com/support/products/enterprise/eol/eol_matrix.html#86, the reason the 7 versions were not fixed was that they are no longer supported. They are still vulnerable, so should be uninstalled or upgraded to a supported version.

    For more info, see the advisory at http://secunia.com/advisories/38138.

Comments are closed.