Security Warning: Adobe
Reader and Acrobat
An un-patched vulnerability in Adobe Reader
and Acrobat (for reading and creating PDF documents) is being actively exploited on the
Internet. Adobe is not planning to release a patch until
January 12, 2010. The vulnerability could potentially allow
an attacker to take control of the affected system. Adobe has
posted information about how to work around the vulnerability.
What Should You Do Now
Make sure that your computer is has a workaround
Do I Protect My Computer" below.
also recommends that you configure Adobe Reader and your browser to not
automatically open PDF files on the Internet in your browser.
This will give you more protection as it will be more obvious
when a web site tries to open (a potentially malicious) PDF file on
What is the Vulnerability
making detection more difficult.
When Adobe learned of the
vulnerability, the information was not publicly known, but with all the
attention, it will probably become public. When that happens,
more attacks using the vulnerability are likely, making the need for
protection that much more critical.
What is the Attack
Initially the attack arrives as a PDF file attachment in an e-mail
message. The attack uses social engineering to lure the recipient into opening the
attachment. The attachment then attempts to infect the computer with a Trojan virus.
you get an e-mail message that you were not expecting that tries to
pressure you into opening an attachment, it is very likely that the
attachment is malware and you should delete the message.
information about the underlying vulnerability becomes
public, other attacks are likely. Malicious PDF files could
arrive via a-mail, be downloaded from the web, or many other ways.
Be suspicious of any PDF file that you did not request.
In fact, we are already seeing additional attacks. Timesunion.com, a new publication in Albany, NY, said
on Friday that visitors to the site's comics section began reporting
malicious downloads while viewing comics that are attributed to this
Exploits of this PDF vulnerability are now
featuring fake Microsoft security certificates. The bogus security
certificates signed by Microsoft are used to spoof anti-virus software.
The phony certificates are designed to look like real certificates but
lack information that genuine security certificates would have.
Do I Protect My Computer
The easiest way to protect your computer is to
disable Java Script in Adobe Reader and Acrobat. If you need
to use Java Script and you are running Adobe Reader or Acrobat
has been a frequent attack vector in Adobe Reader and Acrobat, and its
functionality is not normally needed. That is why ITPS has
customer sites. We recommend that you do the same.
To disable Java Script in Adobe Reader
or Acrobat on a single computer:
1. Run Adobe Reader or Acrobat.
2. Select Edit>Preferences
5. Click OK
If you have very many computers, this becomes a
lot of work. If you have an Active Directory (AD) domain, you
can use a group policy object (GPO) to disable Java Script in Adobe
Reader and Acrobat on all (or select groups) of you computers without
having to manually disable it on each computer.
workaround this vulnerability, see Adobe's instructions at http://kb2.adobe.com/cps/532/cpsid_53237.html.
Symantec: Zero-Day Xmas Present
Computer World: Adobe probes new in-the-wild PDF bug
PCWorld: Adobe Reader Zero-Day Exploit: Protecting Your PC
Computer World: Adobe explains PDF patch delay
The Tech Herald: Funny pages used to launch PDF attack
MX Logic: Adobe exploits now feature faked Microsoft security certificates
IT Professional Services
had disabled Java Script in Acrobat and Adobe Reader via a group policy
at all of our customers of Managed
Care some time ago. Managed Care customers are
protected from this vulnerability.
If you need assistance installing a work around
for this vulnerability or a security assessment, IT
Professional Services can help. Call our
out more about our Managed Care service.
To find out how vulnerable your network is
schedule a free network security analysis today.
We at IT Professional Services (ITPS)
hope that the information in this bulletin is valuable to you. ITPS
believes the information provided herein is reliable. While care has
been taken to ensure accuracy, your use of the information contained in
this bulletin is at your sole risk. All information in this bulletin is
provided "as-is", without any warranty, whether express or implied, of
its accuracy, completeness, fitness for a particular purpose, title or
non-infringement, and none of the third-party products or information
mentioned in the bulletin are authored, recommended, supported or
guaranteed by ITPS. ITPS shall not be liable for any damages you may
sustain by using this information, whether direct, indirect, special,
incidental or consequential, even if it has been advised of the
possibility of such damages.