Disable JavaScript in Reader, security experts say

Dark Reading Staff, Dark Reading

February 20, 2009

2 Min Read

A new attack exploiting a previously unknown bug in Adobe Acrobat Reader is on the loose and being called "very severe," but Adobe doesn't plan to release a patch for the buffer overflow vulnerability until next month.

The Shadowserver Foundation reports that several iterations of the attack are spreading in the wild via the popular Acrobat and Acrobat Reader applications. "The Shadowserver Foundation has recently become aware of a very severe vulnerability in Adobe Acrobat affecting versions 8.x and 9 that is currently on the loose in the wild and being actively exploited," blogs Shadowserver's Steven Adair. "Right now we believe these files are only being used in a smaller set of targeted attacks. However, these types of attacks are frequently the most damaging, and it is only a matter of time before this exploit ends up in every exploit pack on the Internet."

Adobe issued an alert about the vulnerability yesterday, describing it as a "critical" buffer overflow vulnerability in Versions 9 and earlier of both Adobe Reader and Acrobat. "This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system. There are reports that this issue is being exploited," Adobe said.

But an update for Adobe Reader 9 and Acrobat 9 won't be issued until March 11, the company said, and updates for versions 8 and 7 of the software tools "soon after."

In the meantime, the best way to defend against the attack is to disable JavaScript in Acrobat and Acrobat Reader, according to Shadowserver. This will prevent the malware from hitting your system, but it will still crash the application. "We would HIGHLY recommend that you DISABLE JAVASCRIPT in your Adobe Acrobat [Reader] products. You have the choice of a small loss in functionality and a crash versus your systems being compromised and all your data being stolen. It should be an easy choice," Adair blogged.

Shadowserver analyzed the exploit and found that the malicious PDFs carry JavaScript and exploit a non-JavaScript function call. So disabling JavaScript kills the exploit, but crashes the application.

Several antivirus firms, including Symantec and Trend Micro, can now detect the attack.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights