Security Alerts

Security Warning: Adobe Reader and Acrobat Vulnerability Being Exploited
12/21/2009

An un-patched vulnerability in Adobe Reader and Acrobat (for reading and creating PDF documents) is being actively exploited on the Internet.  Adobe is not planning to release a patch until January 12, 2010.  The vulnerability could potentially allow an attacker to take control of the affected system.  Adobe has posted information about how to work around the vulnerability.

What Should You Do Now

Make sure that your computer is has a workaround for this vulnerability implemented. We have said it before and we will say it again: Disable JavaScript in Adobe Reader and Acrobat.  See "How Do I Protect My Computer" below.

ITPS also recommends that you configure Adobe Reader and your browser to not automatically open PDF files on the Internet in your browser.  This will give you more protection as it will be more obvious when a web site tries to open (a potentially malicious) PDF file on your computer.

What is the Vulnerability

The vulnerability involves JavaScript function within Adobe Reader and Acrobat, but it has been reported that the JavaScript is obfuscated making detection more difficult.

When Adobe learned of the vulnerability, the information was not publicly known, but with all the attention, it will probably become public.  When that happens, more attacks using the vulnerability are likely, making the need for protection that much more critical.

What is the Attack

Initially the attack arrives as a PDF file attachment in an e-mail message.  The attack uses social engineering to lure the recipient into opening the attachment.  The attachment then attempts to infect the computer with a Trojan virus.

If you get an e-mail message that you were not expecting that tries to pressure you into opening an attachment, it is very likely that the attachment is malware and you should delete the message.

As information about the underlying vulnerability becomes public, other attacks are likely.  Malicious PDF files could arrive via a-mail, be downloaded from the web, or many other ways.  Be suspicious of any PDF file that you did not request.

In fact, we are already seeing additional attacks.  Timesunion.com, a new publication in Albany, NY, said on Friday that visitors to the site's comics section began reporting malicious downloads while viewing comics that are attributed to this PDF vulnerability.

Exploits of this PDF vulnerability are now featuring fake Microsoft security certificates. The bogus security certificates signed by Microsoft are used to spoof anti-virus software. The phony certificates are designed to look like real certificates but lack information that genuine security certificates would have.

How Do I Protect My Computer

The easiest way to protect your computer is to disable Java Script in Adobe Reader and Acrobat.  If you need to use Java Script and you are running Adobe Reader or Acrobat versions 9.2 or 8.1.7, you can utilize the JavaScript Blacklist Framework that Adobe added in those versions to provide granular control over the execution of specific JavaScript API calls.

JavaScript has been a frequent attack vector in Adobe Reader and Acrobat, and its functionality is not normally needed.  That is why ITPS has disabled JavaScript in Acrobat Reader and Adobe at all our Managed Care customer sites.  We recommend that you do the same.

To disable Java Script in Adobe Reader or Acrobat on a single computer:

1. Run Adobe Reader or Acrobat.
2. Select Edit>Preferences
3. Select the JavaScript Category
4. Uncheck the 'Enable Acrobat JavaScript' option
5. Click OK

If you have very many computers, this becomes a lot of work.  If you have an Active Directory (AD) domain, you can use a group policy object (GPO) to disable Java Script in Adobe Reader and Acrobat on all (or select groups) of you computers without having to manually disable it on each computer.

To use the JavaScript Blacklist Framework to workaround this vulnerability, see Adobe's instructions at http://kb2.adobe.com/cps/532/cpsid_53237.html.

References

Adobe: Security Advisory APSE09-07

Adobe: JavaScript Blacklist Framework Mitigation

Symantec: Zero-Day Xmas Present

Computer World: Adobe probes new in-the-wild PDF bug

PCWorld: Adobe Reader Zero-Day Exploit: Protecting Your PC

Computer World: Adobe explains PDF patch delay

The Tech Herald: Funny pages used to launch PDF attack

MX Logic: Adobe exploits now feature faked Microsoft security certificates

Managed Services

IT Professional Services had disabled Java Script in Acrobat and Adobe Reader via a group policy at all of our customers of Managed Care some time ago.  Managed Care customers are protected from this vulnerability.

Professional Services

If you need assistance installing a work around for this vulnerability or  a security assessment, IT Professional Services can help. Call our help desk.

Find out more about our Managed Care service.

To find out how vulnerable your network is schedule a free network security analysis today.

We at IT Professional Services (ITPS) hope that the information in this bulletin is valuable to you. ITPS believes the information provided herein is reliable. While care has been taken to ensure accuracy, your use of the information contained in this bulletin is at your sole risk. All information in this bulletin is provided "as-is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the bulletin are authored, recommended, supported or guaranteed by ITPS. ITPS shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.