Summary:
- This vulnerability affects: Adobe Reader and Acrobat 9.x and earlier, on Windows, Mac, and UNIX computers (The flaws technically affect Reader X as well, but are much less exploitable)
- How an attacker exploits it: By enticing your users into viewing maliciously crafted PDF documents
- Impact: An attacker can execute code on your computer, potentially gaining control of it
- What to do: Windows users should install Adobe’s Reader and Acrobat 9.4.7 updates as soon as possible (or let Adobe’s Updater do it for you).
Exposure:
In a previous post, we warned you that attackers are currently leveraging a zero day vulnerability in Adobe Reader to launch targeted attacks against certain industries. The attack arrives as a targeted phishing email, which contains a specially crafted PDF file. If you open that PDF file, it leverages the previously unknown vulnerability to execute code on your computer, with your privileges.
Adobe promised they’d released a patch for this zero day during this week, which they just did today. According to their security bulletin, this out-of-cycle update actually corrects two security vulnerabilities, which attackers have exploited in the wild. As is typically the case with Adobe, they don’t describe the flaws in much technically detail, but they do say they involve memory corruption issues with the U3D and PRC components in Reader and Acrobat. As I mentioned before, if an attacker can entice you into opening a specially crafted PDF file, he can exploit these issues to execute code with your privileges. If you have root or system administrator privileges, the attacker gains complete control of you machine.
Solution Path
Adobe has released Windows Reader and Acrobat 9.4.7 to fix these vulnerabilities on Windows systems. Though Reader versions running on other platforms (such as Macintosh and Unix) are also susceptible to these issues, Adobe does not plan to patch them till their next quarterly update, scheduled for January 10, 2012.
It’s important to note, the more recent Reader and Acrobat X (10.1.1) versions are also vulnerable to these issue. However, Adobe does not believe attackers can exploit these flaws in the X versions due to built-in protection mechanisms. Nonetheless, they will also release Reader X updates in January.
In the meantime, Windows-based Reader and Acrobat 9.x users should download and install the following updates as soon as they can, or let Adobe’s updater do it for you.
- Adobe Reader 9.4.7
- Adobe Acrobat 9.4.7
For All WatchGuard Users:
Many WatchGuard Firebox models can block incoming PDF files. However, most administrators prefer to allow these file types for business purposes. Nonetheless, if PDF files are not absolutely necessary to your business, you may consider blocking them using the Firebox’s HTTP and SMTP proxy until the patch has been installed.
Keep in mind, our Gateway Antivirus (GAV) service does also scan PDF files for malware. In many cases, simply enabling our GAV service will protect you from these well known, public threats.
If you decide you want to block PDF documents, follow the links below for instructions on using your Firebox proxy’s content blocking features to block .pdf files by their file extension:
- XTM Appliance with WSM 11.x
- Firebox X Edge running 10.x
- Firebox X Core and X Peak running Fireware 10.x
Status:
Adobe has released patches that correct these vulnerabilities on certain Windows systems. They plan to deliver the remaining updates in January.
References:
This alert was researched and written by Corey Nachreiner, CISSP.