Adobe Reader, Acrobat Under Zero-Day Attack – DarkReading


Adobe Reader, Acrobat Under Zero-Day Attack – DarkReading

Another vulnerability has struck users of Adobe Reader and Adobe Acrobat.  This affects versions 8 and 9 (and possibly earlier versions as well).  While researchers and officials at Adobe are not saying exactly what the vulnerability is, there are reports that it lies in how Acrobat/Reader handles Javascript.

Javascript is found in a lot of places (you’re seeing examples of it on this website in fact).  However, the vulnerability only lies in how Adobe uses Javascript (so you don’t have to disable it in browsers or other programs—as of yet).  To say that Javascript is Java is the same as saying “vbscript is Visual Basic”.  It’s not exactly true.  Javascript is a subset of Java—in that they share some common traits.  But, at best, it’s an extremely scaled down version (read as limited) of Java.

How this vulnerability is being used right now:

Currently, the people who are using this vulnerability are sending out pdf files to “victims” using Social Engineering tactics.  E-mails will possibly be marked as “urgent” or “High Importance”.  The English in the e-mails may not be perfect.  It’s not clear if the vulnerability will scan your address book and use your contacts to further the infection.  If you open the pdf file, it will trigger the vulnerability, which will cause Acrobat to crash.  The pdf file may, or may not download a “payload” which could be a virus, trojan, or other malware.  The reports indicate that the vulnerability is used to install a keylogger and to data mine your computer.  (Data mining is a fancy way of saying “look for anything they think is valuable, and send a copy of it back to them.”)

What to do about this:

Adobe and the security researchers recommend that you disable Javascript in Adobe Reader.  You don’t have to disable it anywhere else (has this been emphasized enough yet?) though.  To disable it in Adobe, click on Edit –> Preferences –> Select the Javascript Category.  Uncheck the option that says “Enable Acrobat Javascript”.  Click OK.

Note, this will definitely break some pdf files that you have, if they are using JavaScript.  Personally, I have pdf files from my college, that use JavaScript to verify my credentials.  In weighing the risks, I’ve decided that it’s better to break them (and then enable JavaScript on a need to do basis), rather than risk infection.

Adobe also says that they will release a patch on or around January 12, 2010 to fix this. 

What problems lie ahead:

The biggest problem that lies ahead is this.  When Adobe releases their patch, people will instinctively re-enable JavaScript in Acrobat/Reader.  Which means that while they’re protected against the current (KNOWN) threats, they are leaving themselves open to attacks from future and unknown threats.

Adobe should disable JavaScript by default, and look for a better means of rendering pdf’s.  PDF writers need to find a better means of securing and rendering their pdf files.  And users need to leave JavaScript disabled (only enabling it when absolutely necessary).

On another note, this is a good time to bring up the issue of Digital Signatures and encrypting your e-mails.  If you have a digital signature, use it.  If you don’t have one, then get one.  They’re not expensive.  Let your recipients know that if they receive an attachment from you, that doesn’t have this signature, delete the e-mail, and request that you resend it with the signature.

Yes, this will create a little hassle for you and them.  But, I ask you this. Is it better to be hassled by this, or better to have your name associated with spreading a virus?

Have a great day:)
Patrick.

Leave a comment

Your email address will not be published. Required fields are marked *