Adobe to release critical update on patch Tuesday


A new zero-day vulnerability in Adobe Reader and Acrobat 9.1.3 has been identified by Chia-Ching Fang and the Taiwanese Information and Communication Security Technology Service Center that allows an attacker to remotely execute arbitrary code. The attack is seeded by providing via e-mail or download a specially crafted PDF file which in current examples will then drop a malware executable as well as an unaffected pdf file. McAfee is identifying this under Exploit-PDF.m, and has a signature for a specific Trojan already identified. This is the fourth PDF related zero-day attack of 2009, and a further incentive for enterprises to bring patching of applications in line with processes for operating system patching.

The crafted PDF file contains a Javascript which is used to execute arbitrary code via a technique known as heap spraying. The initial shell code jumps program execution to a second shell code, which in turn executes a malicious file that creates a backdoor (remote access to the infected computer). Trend Micro is identifying this malware as a Protux variant. Protux backdoors provide user level access to the machine and have been associated as the payloads of Microsoft Office (Word, PowerPoint, Excel, Access) as well as previous Adobe Reader exploits. The Protux family of Trojans has been around since at least 2007.

The identification of this exploit has prompted Adobe to announce release of a critical patch for release on Tuesday, October 13th. The company posted a security advisory yesterday, announcing plans to release the update to “resolve critical security issues”. The vulnerability is being exploited, although it is unclear how widespread the attacks are. Adobe asserts that the vulnerability is being exploited in “limited, targeted attacks” limited to Windows operating systems although the vulnerability itself also exists for other operating systems.

“There are reports that this issue is being exploited in the wild in limited targeted attacks”
– David Lenoe of Adobe

Vupen Security posted an advisory on the vulnerability (CVE-2009-3459) which states that the issue is an unspecified memory corruption error, which could be exploited allowing attackers to comprise a system remotely.


Disabling Javascript on Adobe Acrobat

Adobe notes that disabling Javascript mitigates against the specific exploit identified, although it would be possible to create a variant that does not rely on Javascript. To disable Javascript in Adobe Reader or Acrobat, select Edit > Preferences, select the JavaScript option on the left, and uncheck the Enable Acrobat JavaScript option as shown.

Uncheck to disable Acrobat JavaScript

Uncheck to disable Acrobat JavaScript

Data Execution Prevention

Also, users with DEP enabled on Windows Vista or Windows 7 are protected from this exploit. Data Execution Prevention (DEP) performs additional checks on memory to help prevent malicious code from running, designed to prevent buffer overflow attacks. To enable DEP on Windows for all or individual programs, proceed to Control Panel -> System and Maintenance -> System, click on Advanced System Settings, under Performance click Settings, and finally under the Data Execution Prevention tab click Turn on DEP for all programs and services except those I select. If you can not find Acrobat in the list of programs, click Add and browse to the Acrobat executable (.exe) file and click Open. For more information on DEP settings, visit the Microsoft help page.

In Conclusion

In June Adobe moved to the same Tuesday patch management schedule that Microsoft and Oracle previously adopted. This latest zero-day exploit represents another opportunity to address an ongoing issue for organizations: that patch management must extend beyond just the operating system level. While enterprises focus on ensuring the latest Microsoft updates to the desktop and server environment, applications, such as Adobe Reader, fail to be a part of the the same rigorous patch management exercise.

Qualys demonstrated this problem when the first Adobe exploit was released this year in February, APSA09-01. While a fix was released on March 10th (demonstrated by the red line in their graph), by April 27th there was still no clear reduction in the number of vulnerable machines. A 30 day patch management cycle, including testing of the patch before full enterprise release, would have shown a steep drop off on or about April 10th:



In March Adobe patched a two month old zero day exploit, followed by another patch in May to block a second zero day attack. In July a fix was released for a Flash PDF related flaw. As evidenced by the four exploits thus far this year, Adobe applications are becoming an increasingly attractive target for bad actors.

Filed Under: featuredSecurity

Tags: , , , , , , , ,

Comments (1)

Trackback URL | Comments RSS Feed

  1. Hi,

    Thank you for the great quality of your blog, every time i come here, i’m amazed.

    black hattitude.