Hackers have been exploiting a critical bug in Adobe Reader, the popular PDF-viewing software, for at least nine days, researchers said Friday, but a patch may not be ready for another three weeks.
“We reported this to Adobe on Feb. 12,” said Kevin Haley, a director in Symantec Corp.'s security response group. “That was the same day that we had a sample of the exploit.”
Attacks have been spotted in Asia, primarily in Japan, said Haley, as well as in a few other countries. But their small number led him to characterize them as “targeted,” meaning the victims had been specially selected.
“But this [bug] is not hard to exploit,” he added, indicating that Symantec expects the attacks to spread.
So does Andrew Storms, director of security operations at nCircle Network Security Inc. “If the history of Adobe Reader vulnerabilities shows us anything, it's probably just a number of days before this takes off,” Storms said.
In a security advisory released yesterday, Adobe acknowledged the bug and the ongoing attacks, and said that both Reader and Acrobat, an advanced PDF-creation and edit application, are vulnerable. Versions 7, 8 and 9 of both programs, and on all platforms, contain the flaw, the company confirmed. Adobe Reader, by far the more popular of the two applications, is available for Windows, Mac OS X and Linux.
Adobe plans to patch Reader 9 and Acrobat 9 — the most current versions — by March 11, and will then follow with fixes for Reader/Acrobat 8 and Reader/Acrobat 7, in that order. It did not spell out a timetable for updates to Versions 7 and 8, however.
In the meantime, both Haley and Storms expect hackers to take advantage of the bug, possibly by integrating new attack code into the multistrike exploit kits that are frequently used by cybercriminals to launch attacks against users who are duped into visiting malicious Web sites. “There's no reason to think that that won't happen,” he said. “Reader is a very popular application.”
The in-the-wild attacks trigger the bug with a Trojan horse that Symantec has pegged “Pidief.e,” which then installs several additional components to open a backdoor on the compromised computer. That backdoor can later be used to inject additional malware into the machine.
Attacks could be initiated by spam messages that trick users into clicking through to a malicious site, or by packing exploit code in a file attachment.
Although neither Adobe nor Symantec provided details of the vulnerability, the Shadowserver.org site posted a partial analysis that claimed the bug was in a non-JavaScript function call.
“I had completely expected that this would be yet another JavaScript vulnerability in Reader,” said Storms, who has blasted Adobe in the past for what he has called an “epidemic” of JavaScript bugs.
Shadowserver.org's write-up recommended that users disable JavaScript in Reader and Acrobat because, although the flaw is not in that code, turning off the feature helps protect against the current exploit. “The exploit can be effectively mitigated by disabling JavaScript,” said Shadowserver. “In this scenario, Adobe [Reader] will still crash, but the required heap spray will not occur and code execution is not possible.”
Storms had no better advice, but wondered if that would be enough. “What do we do in the meantime, between now and March 11, when Adobe patches this?” he asked. “Is the [disabling JavaScript] mitigation a good step or the only step? Without a look at the exploit, we can't be sure.”
To disable JavaScript in Adobe Reader, Windows users should select “Preferences” from the Edit menu, then click on “JavaScript” in the ensuing list and uncheck the box marked “Enable Acrobat JavaScript.” Mac users will find Preferences under the “Adobe Reader” menu.
Adobe Reader and Acrobat are no strangers to exploits. Last November, attackers jumped on a just-patched vulnerability in Reader 8.1.3 within days.
