Adobe comes good on a promise made last week, but researchers worry over breaking of Reader’s sandbox protection
Adobe has confirmed a patch covering two critical flaws in Reader and Acrobat will land this week, following reports one of the vulnerabilities was being exploited in the wild.
Adobe noted late last week it was working on a patch and has been quick to react to findings of security researchers, confirming over the weekend fixes would land sometime this week.
Adobe Reader attacks
FireEye reported last week that a PDF zero-day was being exploited. It found that when one of the Reader flaws was successfully exploited, it initiated two Dynamic Link Library (DLL) files, the first of which opened a fake error message and a decoy PDF document, whilst the second dropped a callback component that spoke with a remote domain used by the attackers.
“Adobe is aware of reports that these vulnerabilities are being exploited in the wild in targeted attacks designed to trick Windows users into clicking on a malicious PDF file delivered in an email message,” the Reader maker said in its advisory.
“Adobe is in the process of working on fixes for these issues and plans to make available updates for Adobe Reader and Acrobat XI (11.0.01 and earlier) for Windows and Macintosh, X (10.1.5 and earlier) for Windows and Macintosh, 9.5.3 and earlier 9.x versions for Windows and Macintosh, and Adobe Reader 9.5.3 and earlier 9.x versions for Linux during the week of 18 February 2013.”
As noted by various security researchers, the exploits, if genuine, mark a worrying moment for Adobe, as it is the first known bypass of the sandbox protection built into the latest Adobe Reader.
“Adobe Reader, and the PDF standard, are extremely flexible (and therefore complex) pieces of technology – this won’t be the last flaw found,” warned Ross Barrett, senior manager of security engineering at Rapid7.
The Adobe security team has had a busy month, having rushed out patches for zero-day flaws in Flash Player, which were being exploited by hackers. Mac and Windows users were targeted.
Are you a security pro? Try our quiz!