Author |
Topic: New Adobe Reader and Acrobat Vulnerabilities |
Wiz Feinberg
From: Mid-Michigan, USA
|
Posted 29 Apr 2009 10:28 am
|
|
There are two brand new zero day vulnerabilities in Adobe's Acrobat and Reader software. The proof of concept code has been published and Adobe is going to work on a patch. See my blog article titled New zero-day JavaScript exploit targets Adobe Reader for the details.
These vulnerabilities affect all versions of Reader and Acrobat, including the recently updated versions 8.14 and 9.1, on all operating system platforms (Windows, Mac, Linux, Unix, etc). To be exploited one would have to be tricked into opening a specifically crafted pdf file, in an unpatched version of Reader or Acrobat. Users operating with less than Administrator privileges would be less impacted, unless they opened the malware by using "Run as Administrator."
Until Adobe releases a patched version of Reader and Acrobat, you can stay protected against these exploits by disabling JavaScript in them. To do so, follow these steps:
- Launch Acrobat or Adobe Reader.
- Select Edit>Preferences
- Select the JavaScript Category
- Uncheck the ‘Enable Acrobat JavaScript’ option
- Click OK
Be especially cautious about opening pdf files in email attachments or on websites. _________________ "Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog |
|
|
|
b0b
From: Cloverdale, CA, USA
|
Posted 29 Apr 2009 10:57 am
|
|
I recently saw a false positive report of a trojan downloader in a PDF file, from the virus protection software on one of the servers that I monitor. I know it was mistaken because I wrote the code that generated the PDF in question. The virus scanner deleted the file before I could examine it.
I do use Javascript in these PDF files, but I don't use the getAnnots() function. I hope that consumers don't start routinely turning off PDF Javascript, as it is a very useful feature of the format. I use it to dynamically set options in the Print Dialog for guaranteed accurate positioning when printing labels. _________________ -𝕓𝕆𝕓- (admin) - Robert P. Lee - Recordings - Breathe - D6th - Video |
|
|
|
Wiz Feinberg
From: Mid-Michigan, USA
|
Posted 4 May 2009 7:35 pm
|
|
b0b wrote: |
I hope that consumers don't start routinely turning off PDF Javascript, as it is a very useful feature of the format. I use it to dynamically set options in the Print Dialog for guaranteed accurate positioning when printing labels. |
I would recommend adding a note telling your readers that JavaScript will improve their viewing experience and that no hostile code is used. With all these exploits in Acrobat and Reader many consumers and end users will disable JavaScript in Adobe products and leave it off. _________________ "Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog |
|
|
|
Wiz Feinberg
From: Mid-Michigan, USA
|
Posted 4 May 2009 7:40 pm Adobe promises an update to fix new JavaScript vulnerability
|
|
Adobe Systems expects to have patches ready to fix the latest flaws in Acrobat and Reader by next week.
Quote: |
"We are in the process of fixing the issue and expect to make available product updates for the relevant supported Adobe Reader and Acrobat versions and platforms by May 12th, 2009," wrote David Lenoe, a security program manager, on Adobe's security blog. |
The update will fix the problem in versions 7.x, 8.x and 9.x for Reader and Acrobat on Windows, versions 8.x and 9.x of Reader and Acrobat for Macintosh, and Reader versions 8.x and 9.x for Unix. It will repair bug CVE-2009-1492, which concerns Adobe's implementation of JavaScript in Reader and Acrobat.
You can obtain the updates for your Adobe products by running the Secunia Online Software Inspector tomorrow afternoon, or afterward. _________________ "Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog |
|
|
|
John Cipriano
From: San Francisco
|
Posted 7 May 2009 12:59 am
|
|
Wiz, you don't have the registry key handy for disabling JS in Reader, do you? I need to do it on a bunch of machines. If not, no biggie, I'll poke around.
Reader is a huge hassle to deploy, btw. It's packed in a dumb proprietary format, unlike a regular MSI. You have to get a program from Adobe to edit the package, and they make you go through an approval process. Then you edit the settings and the installer ignores some of them anyway...and which ones get ignored (whether or not to auto-update, for example) changes with each version. |
|
|
|
Wiz Feinberg
From: Mid-Michigan, USA
|
Posted 7 May 2009 6:43 am
|
|
John Cipriano wrote: |
Wiz, you don't have the registry key handy for disabling JS in Reader, do you? |
John;
I found that each version of Reader has its own key under the main "HKCU\Software\Adobe\Acrobat Reader" key and each sub-version has a JSPrefs subkey where you can change the DWord value to 0, as in this sample for Reader 9.0:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\JSPrefs]
"bConsoleOpen"=dword:00000000
"bEnableGlobalSecurity"=dword:00000001
"bEnableJS"=dword:00000000
"bEnableMenuItems"=dword:00000000
Note that the JS Prefs must be set for each logged on user. I did not see a universal JS key in the Adobe Local Machine section. _________________ "Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog |
|
|
|
John Cipriano
From: San Francisco
|
Posted 7 May 2009 1:05 pm
|
|
Of course they put it there. That's exactly where I can't get to with a simple remote registry operation, which means I have to start inventorying all the installations and make custom logon scripts. Fun!
Thanks for looking that up, Wiz. |
|
|
|