Hackers exploit unpatched Adobe Reader bug

Expect attacks to spread before Adobe issues patch, say researchers

Attacks could be initiated by spam messages that trick users into clicking through to a malicious site, or by packing exploit code in a file attachment.

Although neither Adobe nor Symantec provided details of the vulnerability, the Shadowserver.org site posted a partial analysis that claimed the bug was in a non-JavaScript function call.

"I had completely expected that this would be yet another JavaScript vulnerability in Reader," said Storms, who has blasted Adobe in the past for what he has called an "epidemic" of JavaScript bugs.

Shadowserver.org's write-up recommended that users disable JavaScript in Reader and Acrobat because, although the flaw is not in that code, turning off the feature helps protect against the current exploit. "The exploit can be effectively mitigated by disabling JavaScript," said Shadowserver. "In this scenario, Adobe [Reader] will still crash, but the required heap spray will not occur and code execution is not possible."

Storms had no better advice, but wondered if that would be enough. "What do we do in the meantime, between now and March 11, when Adobe patches this?" he asked. "Is the [disabling JavaScript] mitigation a good step or the only step? Without a look at the exploit, we can't be sure."

To disable JavaScript in Adobe Reader, Windows users should select "Preferences" from the Edit menu, then click on "JavaScript" in the ensuing list and uncheck the box marked "Enable Acrobat JavaScript." Mac users will find Preferences under the "Adobe Reader" menu.

Adobe Reader and Acrobat are no strangers to exploits. Last November, attackers jumped on a just-patched vulnerability in Reader 8.1.3 within days.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags adobebugs

More about Adobe SystemsLinuxnCirclenCircle Network SecuritySymantec

Show Comments
[]