• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • Daily Security Bytes
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Update Adobe Reader or Avoid Potentially Malicious PDFs

April 10, 2012 By Corey Nachreiner

Summary:

  • This vulnerability affects: Adobe Reader and Acrobat X 10.1.2 and earlier, running on Windows, Mac, and Linux
  • How an attacker exploits it: By enticing your users into viewing maliciously crafted PDF documents
  • Impact: An attacker can execute code on your computer, potentially gaining control of it
  • What to do: Windows users should install Adobe’s Reader and Acrobat X 10.1.3 or 9.5.1 updates as soon as possible (or let Adobe’s Updater do it for you).

Exposure:

Today, Adobe released a security bulletin describing four vulnerabilities in Adobe Reader and Acrobat X 10.1.2 and earlier, running on all supported platforms.  Adobe doesn’t describe these flaws in much technically detail, but most of them involve integer overflow and memory corruption issues within Reader and Acrobat components. Despite their technical differences, all four vulnerabilities share a similar scope and impact. If an attacker can entice you into opening a specially crafted PDF file, he can exploit any of these issues to execute code on your computer, with your privileges. If you have root or system administrator privileges, the attacker gains complete control of your machine.

If you use Adobe Reader to open PDF documents, you should download and install this Reader update as soon as you can.

Solution Path

Adobe has released Reader and Acrobat X 10.1.3 (and 9.5.1 for legacy users) to fix these vulnerabilities. You should download and deploy the corresponding updates immediately, or let the Adobe Software Updater program do it for you.

  • Adobe Reader X 10.1.3
    • For Windows
    • For Mac
    • For Linux
  • Adobe Acrobat X 10.1.3
    • Standard and Pro for Windows
    • Pro Extended for Windows
    • Pro for Mac

For All WatchGuard Users:

If you choose, you can configure the HTTP, SMTP, and FTP proxies on your WatchGuard appliance to block PDF documents from entering your network, thus mitigating the risk of these issues. However, doing so blocks both legitimate and malicious PDF files. If your organization relies on PDF documents, you may not want to implement this mitigation workaround.

Our proxies offer many ways for you to block files and content, including by file extension,  MIME type, or by using very specific hexadecimal patterns found in the body of a message – a technique sometimes referred to as Magic Byte detection. Below I list various ways you can identify PDF documents (.pdf):

File Extension:

  • .PDF – Adobe Reader document

MIME types:

  • application/pdf
  • application/x-pdf
  • application/acrobat
  • applications/vnd.pdf
  • text/pdf
  • text/x-pdf

FILExt.com reported Magic Byte Pattern:

  • Hex: 25 50 44 46 2D 31 2E
  • ASCII: %PDF-1

If you do decide you want to block PDF files, the links below contain instructions that will help you configure your WatchGuard appliance’s content blocking features using the file and MIME information listed above. Also, our Gateway Antivirus (GAV) service does scan PDF files for malware. In many cases, simply enabling our GAV service can protect you from some PDF-based malware.

  • XTM Appliance with WSM 11.x
    • How do I block files with the FTP proxy?
    • How do I block files with the HTTP proxy?
    • How do I block files with the POP3 proxy?
    • How do I block files with the SMTP Proxy?
  • Firebox X Edge running 10.x
    • How do I block files with the FTP proxy?
    • How do I block files with the HTTP proxy?
    • How do I block files with the POP3 proxy?
    • How do I block files with the SMTP proxy
  • Firebox X Core and X Peak running Fireware 10.x
    • How do I block files with the FTP proxy?
    • How do I block files with the HTTP proxy?
    • How do I block files with the POP3 proxy?
    • How do I block files with the SMTP proxy?

Status:

Adobe has released patches to correct these vulnerabilities.

References:

  • Adobe April 2012 Reader and Acrobat Security Bulletin

This alert was researched and written by Corey Nachreiner, CISSP.

Share This:

Related

Filed Under: Security Bytes Tagged With: Adobe, Reader, Zero day exploit

Comments

  1. Comodo says

    April 18, 2012 at 10:35 pm

    Thanks for sharing, It’s really informative.

    Reply
  2. filtri per sigaretta elettronica says

    July 14, 2014 at 8:43 pm

    One of the sound advices in this regard is the utilization of only thhe quality brands for having real
    smoking experience. It still coontains nicotine mist to taste like real cigarette
    without dreaded carcinogens. Whenever a smoker inhales the nicotine vapor,
    it provides nicotine hit to thee smoker in a fraction of
    seconds.

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • USA’s Answer to GDPR
  • Rolling PWN

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Private Sector Offensive Actors
  • USA’s Answer to GDPR
  • Rolling PWN
  • Over a Billion Records Leaked in Shanghai National Police Database Hack
  • LockBit Ransomware Group Introduces Bug Bounties and More
View All

Search

Archives

Copyright © 2022 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use