Adobe To Patch Critical Adobe Reader, Acrobat Vulnerabilities
The impending update will repair critical Adobe Reader and Acrobat Reader errors in versions 9.1 and prior for Windows, Mac and Unix systems. The patch also will cover Adobe Reader 9.1 and 8.1.4 for Linux.
If exploited, the flaw could allow attackers to launch denial of service attacks, crash a system or distribute malware that could take control of a user's computer and steal information.
Reports indicate that the vulnerability stems from an error in the "getAnnots" JavaScript function, according to the U.S. Computer Emergency Readiness Team. In an effort to mitigate the risk, the federal agency recommended that users disable JavaScript in Adobe Reader. To disable JavaScript, users are advised to select the JavaScript category under the Edit:Preferences tab and uncheck the "Enable Acrobat JavaScript" option.
The San Jose, Calif.-based company issued a security advisory in April warning users that the critical flaw affected Adobe Reader 9.1 and all previous versions of Adobe Reader and Acrobat Reader.
So far, security experts say that there are no known "in the wild" attacks exploiting the vulnerability, but that likely will change as hackers get a hold of the exploit code and take advantage of users who have failed to update their systems.
"I haven't seen it yet but the exploitability is pretty high," said Paul Royal, principal researcher for security company Purewire. "In a couple of weeks, we'll finally see [exploit code] being weaponized."
Royal added that often attackers will take advantage of the security exploit window between the time exploit code is made publicly available and the time when the company releases a patch repairing the vulnerability. That security window often is made even bigger when users put off or fail to update their systems in a timely manner. "We wonder what percentage of users will actually apply the patch. If the growth of Conficker is any indication, [the number of Adobe users who patch their systems] probably won't be more than 50 percent," Royal said.
The Adobe patch comes less than two months after the company issued a fix repairing a cross-platform vulnerability in Adobe Reader 9 and Acrobat Reader 9, as well as earlier versions, that was actively exploited by attackers to crash the application and execute malicious information-stealing code on victims' computers.
Royal said that in recent months Adobe software has become a target for attacks as hackers moved away from the Web browser and increasingly gravitated toward the application components as a threat vector for malware distribution.
"Obviously attackers are going to go for the weakest link," Royal said. "Adobe is a fairly large and complex software component and has not received enough security scrutiny."
Royal said that he hoped the recent spate of attacks, and subsequent patches, would prompt Adobe to conduct more proactive research to prevent future vulnerabilities and subsequent attacks.
"Hopefully, this will motivate them to be more proactive, or perhaps use consultants, to see if, in fact, there are additional vulnerabilities," he said.
In addition to applying the patch, security experts recommend that users rely on alternate, less targeted PDF-rendering software to minimize the risk of attack.