Adobe investigates PDF Reader zero-day vulnerability reports

JMH · Feb 13, 2013

In a brief blog post, Adobe's security team has said that it is investigating reports of a brand new zero-day vulnerability affecting its Adobe Reader and Acrobat XI (11.0.1) products.

The concern is related to a blog post by security firm Fireeye who yesterday claimed to have uncovered a PDF zero-day vulnerability being exploited in the wild to infect computers.

Unfortunately, details in Fireeye's blog post are scant - and so it's currently impossible for SophosLabs to confirm if this is a genuine zero-day threat.

Adobe investigates PDF Reader zero-day vulnerability reports | Naked Security

JMH · Feb 14, 2013

Don't open that PDF: There's an Adobe Reader zero-day on the loose.

Summary: After Java and Flash, now PDF Reader is under attack, with one security firm warning Reader users to avoid PDFs.

Security researchers are warning users not to open PDFs from unknown sources in Adobe Reader after finding a PDF zero-day being exploited in the wild.

Researchers at security firm FireEye claimed on Tuesday they had seen the attack PDFs successfully exploit the latest versions of Adobe's PDF Reader for Mac, Linux and Windows.

"Today, we identified that a PDF zero-day is being exploited in the wild, and we observed successful exploitation on the latest Adobe PDF Reader 9.5.3, 10.1.5, and 11.0.1," FireEye researchers Yichong Lin, Thoufique Haq, and James Bennett noted in a blog post.

Don't open that PDF: There's an Adobe Reader zero-day on the loose | ZDNet

Corrine · Feb 14, 2013

Critical Security Advisory for Adobe Reader and Acrobat (APSA13-02)

Adobe has now released Security Advisory (APSA13-02) related to critical security vulnerabilities in Adobe Reader and Acrobat XI (11.0.01 and earlier), X (10.1.5 and earlier) and 9.5.3 and earlier for Windows and Macintosh. The vulnerabilities are being exploited in the wild.

In order to minimize vulnerability it is recommended Windows users of Adobe Reader and Acrobat ensure that Protected View is enabled. Unfortunately, neither the Protected Mode or Protected View option is available for Macintosh users.

To enable this setting, do the following:

Click Edit > Preferences > Security (Enhanced) menu.
Change the "Off" setting to "All Files".
Ensure the "Enable Enhanced Security" box is checked.

See the above illustrated as well as and additional information about the vulnerabilities in my blog post at Critical Security Advisory for Adobe Reader and Acrobat (APSA13-02).

AceInfinity · Feb 15, 2013

Good information Corrine, I have yet to learn more about the PDF file format, the only trouble is that it changes with nearly every release of Adobe's Acrobat reader. So not only do you have a new program to learn about, but a new fileformat as well, modified from the previous file specification of the portable document format. From my quick understanding it seems to use hashes, whether MD5 is constant or not, I found an entry of 2 hashes in one PDF file I had:

*Really the same hash over 2 values within brackets, not sure what the significance is of this:

Code:

[<1575E5712C8FD6A387DF540E0AB20D0D> <1575E5712C8FD6A387DF540E0AB20D0D>]

These are 32bits in length though so it looks like an MD5 to me, perhaps newer file specifications adopted something like SHA256...? All I know is, unlike most file formats I know of, this seems to be a custom packed file, using the LZW compression algorithm.

I've got lots to learn about this though.

Corrine · Feb 17, 2013

It may be a custom packed file, Ace, but it certainly doesn't seem to bother the malware writers finding vulnerabilities!

Adobe announced plans for an update for some time this week: Schedule update to Security Advisory for Adobe Reader and Acrobat (APSA13-02):

Adobe plans to make available updates for Adobe Reader and Acrobat XI (11.0.01 and earlier) for Windows and Macintosh, X (10.1.5 and earlier) for Windows and Macintosh, 9.5.3 and earlier 9.x versions for Windows and Macintosh, and Adobe Reader 9.5.3 and earlier 9.x versions for Linux during the week of February 18, 2013.

AceInfinity · Feb 17, 2013

Nope, it's a standard PDF file format, version 1.5 from what I'm seeing in the header. As far as I know, the latest version is 1.7 for the PDF specification?

Search

Search

Adobe investigates PDF Reader zero-day vulnerability reports

JMH

Emeritus, Contributor

JMH

Emeritus, Contributor

Corrine

Administrator,
Microsoft MVP,
Security Analyst

AceInfinity

Emeritus, Contributor

Corrine

Administrator,
Microsoft MVP,
Security Analyst

AceInfinity

Emeritus, Contributor

Adobe investigates PDF Reader zero-day vulnerability reports

JMH

Emeritus, Contributor

JMH

Emeritus, Contributor

Corrine

Administrator, Microsoft MVP, Security Analyst

AceInfinity

Emeritus, Contributor

Corrine

Administrator, Microsoft MVP, Security Analyst

AceInfinity

Emeritus, Contributor

Administrator,
Microsoft MVP,
Security Analyst

Administrator,
Microsoft MVP,
Security Analyst