Summary:
- This vulnerability affects: Adobe Reader and Acrobat X 10.1.1 and earlier, on Windows, Mac, and UNIX computers
- How an attacker exploits it: By enticing your users into viewing maliciously crafted PDF documents
- Impact: An attacker can execute code on your computer, potentially gaining control of it
- What to do: Windows users should install Adobe’s Reader and Acrobat X 10.1.2 or 9.5 updates as soon as possible (or let Adobe’s Updater do it for you).
Exposure:
During yesterday’s Patch Day, Adobe released one security bulletin describing six vulnerabilities in Adobe Reader and Acrobat X 10.1.1 and earlier, running on all supported platforms. Adobe doesn’t describe these flaws in much technically detail, but most of them involve memory corruption issues within Reader and Acrobat components. If an attacker can entice you into opening a specially crafted PDF file, he can exploit these types of issues to execute code on your computer, with your privileges. If you have root or system administrator privileges, the attacker gains complete control of you machine.
In a previous post, we described an out-of-cycle Adobe update that fixed two zero day vulnerabilities in Reader and Acrobat 9.4.6 and earlier. Those zero day flaws also affect Reader and Acrobat X. However, Adobe decided not to releases the X updates at the time, since they believe that X’s built-in protection mechanisms would prevent attackers from exploiting the flaws in the real world. Today’s Reader update also corrects those two outstanding issues in Reader and Acrobat X.
UPDATE: Now that Adobe has released their official bulletin, independent researchers and organizations are sharing their details about these Adobe flaws, which often include more technical depth about the issues. If you’re a technically-minded security professional who likes to know more specifics, I’d recommend you follow some of the security mailing lists (such as FullDisclosure or Security Focus), where you may find more detailed alerts about the individual vulnerabilities like this one.
Solution Path
Adobe has released Reader and Acrobat X 10.1.2 (and 9.5 for legacy users) to fix these vulnerabilities. You should download and deploy the corresponding updates immediately, or let the Adobe Software Updater program do it for you.
- Adobe Reader X 10.1.2
- Adobe Acrobat X 10.1.2
For All WatchGuard Users:
Many WatchGuard Firebox models can block incoming PDF files. However, most administrators prefer to allow these file types for business purposes. Nonetheless, if PDF files are not absolutely necessary to your business, you may consider blocking them using the Firebox’s HTTP and SMTP proxy until the patch has been installed.
Keep in mind, our Gateway Antivirus (GAV) service does scan PDF files for malware. In many cases, simply enabling our GAV service will protect you from these well known, public threats.
If you decide you want to block PDF documents, follow the links below for instructions on using your Firebox proxy’s content blocking features to block .pdf files by their file extension:
- XTM Appliance with WSM 11.x
- Firebox X Edge running 10.x
- Firebox X Core and X Peak running Fireware 10.x
Status:
Adobe has released patches to correct these vulnerabilities.
References:
This alert was researched and written by Corey Nachreiner, CISSP.