Quick Hits

Zero-Day Attack On Adobe Acrobat And Reader Under Way, But Patch Is Weeks Away

Disable JavaScript in Reader, security experts say
A new attack exploiting a previously unknown bug in Adobe Acrobat Reader is on the loose and being called "very severe," but Adobe doesn't plan to release a patch for the buffer overflow vulnerability until next month.

The Shadowserver Foundation reports that several iterations of the attack are spreading in the wild via the popular Acrobat and Acrobat Reader applications. "The Shadowserver Foundation has recently become aware of a very severe vulnerability in Adobe Acrobat affecting versions 8.x and 9 that is currently on the loose in the wild and being actively exploited," blogs Shadowserver's Steven Adair. "Right now we believe these files are only being used in a smaller set of targeted attacks. However, these types of attacks are frequently the most damaging, and it is only a matter of time before this exploit ends up in every exploit pack on the Internet."

Adobe issued an alert about the vulnerability yesterday, describing it as a "critical" buffer overflow vulnerability in Versions 9 and earlier of both Adobe Reader and Acrobat. "This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system. There are reports that this issue is being exploited," Adobe said.

But an update for Adobe Reader 9 and Acrobat 9 won't be issued until March 11, the company said, and updates for versions 8 and 7 of the software tools "soon after."

In the meantime, the best way to defend against the attack is to disable JavaScript in Acrobat and Acrobat Reader, according to Shadowserver. This will prevent the malware from hitting your system, but it will still crash the application. "We would HIGHLY recommend that you DISABLE JAVASCRIPT in your Adobe Acrobat [Reader] products. You have the choice of a small loss in functionality and a crash versus your systems being compromised and all your data being stolen. It should be an easy choice," Adair blogged.

Shadowserver analyzed the exploit and found that the malicious PDFs carry JavaScript and exploit a non-JavaScript function call. So disabling JavaScript kills the exploit, but crashes the application.

Several antivirus firms, including Symantec and Trend Micro, can now detect the attack.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message

Editors' Choice
Jai Vijayan, Contributing Writer, Dark Reading
Kelly Jackson Higgins 2, Editor-in-Chief, Dark Reading