Feeds

Military contractor warns of new Adobe Reader exploit

Attacks already under way

SANS - Survey on application security programs

Attackers are exploiting a vulnerability in the latest versions of Adobe Reader and Acrobat applications to hijack computers running Microsoft Windows, Adobe warned on Tuesday.

The vulnerability, which corrupts memory involved with the U3D, or Universal 3D, file format, was reported by members of Lockheed Martin's computer incident response team and the Defense Security Information Exchange. Both groups monitor security threats affecting military contractors and organizations. Adobe's advisory said the bug is reportedly “being actively exploited in limited, targeted attacks in the wild,” but didn't elaborate.

While attackers are exploiting only Reader 9.x on Windows, all supported versions of Adobe Reader and Acrobat are vulnerable.

Adobe will ship an emergency update no later than the end of next week for Reader 9.x and Acrobat 9.x. Remaining updates for Reader X and Acrobat X, and versions that run on the OS X and UNIX operating systems will be delivered on January 10, the date of Adobe's next scheduled patch release. Brad Arkin, Adobe's senior director of product security and privacy, said a security sandbox built into Reader X prevented attacks from executing malicious code, and that versions written for non-Windows systems aren't being targeted.

“Focusing this release on just Adobe Reader and Acrobat 9.x for Windows also allows us to ship the update much earlier,” he wrote in a blog post. “We are conscious of the upcoming holidays and are working to get this patch out as soon as possible to allow time to deploy the update before users and staff begin time off. Ultimately the decision comes down to what we can do to best mitigate threats to our customers.”

The phrase “limited, targeted attacks in the wild” has often been used to describe exploits directed at military contractors and other companies known to possess information that's critical to national security. An attack that extracted sensitive information about RSA SecurID authentication tokens used by 40 million employees to access sensitive corporate and government networks relied on Adobe Flash code embedded in a Microsoft Excel document. Security reporter Brian Krebs recently reported that as many as 100 Fortune 500 companies may have been hit in the same attack.

Over the past year, Adobe has made significant improvements to the security of its software. Key among them is the sandbox it added to the latest version of Reader for Windows. It separates application functions from sensitive parts of the operating system, such as reading and writing to the hard drive. Adobe's ability to more quickly patch vulnerabilities under attack also appears to have improved.

But the current rash of exploits, however small and targeted, shows the continuing risks that come from running the software. With a plethora of document readers available, it's a good idea to switch to one that's less targeted. Windows users who must use the application should immediately switch to Reader X to avail themselves of the huge investment Adobe developers put into it. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.