Feeds

Military contractor warns of new Adobe Reader exploit

Attacks already under way

Top three mobile application threats

Attackers are exploiting a vulnerability in the latest versions of Adobe Reader and Acrobat applications to hijack computers running Microsoft Windows, Adobe warned on Tuesday.

The vulnerability, which corrupts memory involved with the U3D, or Universal 3D, file format, was reported by members of Lockheed Martin's computer incident response team and the Defense Security Information Exchange. Both groups monitor security threats affecting military contractors and organizations. Adobe's advisory said the bug is reportedly “being actively exploited in limited, targeted attacks in the wild,” but didn't elaborate.

While attackers are exploiting only Reader 9.x on Windows, all supported versions of Adobe Reader and Acrobat are vulnerable.

Adobe will ship an emergency update no later than the end of next week for Reader 9.x and Acrobat 9.x. Remaining updates for Reader X and Acrobat X, and versions that run on the OS X and UNIX operating systems will be delivered on January 10, the date of Adobe's next scheduled patch release. Brad Arkin, Adobe's senior director of product security and privacy, said a security sandbox built into Reader X prevented attacks from executing malicious code, and that versions written for non-Windows systems aren't being targeted.

“Focusing this release on just Adobe Reader and Acrobat 9.x for Windows also allows us to ship the update much earlier,” he wrote in a blog post. “We are conscious of the upcoming holidays and are working to get this patch out as soon as possible to allow time to deploy the update before users and staff begin time off. Ultimately the decision comes down to what we can do to best mitigate threats to our customers.”

The phrase “limited, targeted attacks in the wild” has often been used to describe exploits directed at military contractors and other companies known to possess information that's critical to national security. An attack that extracted sensitive information about RSA SecurID authentication tokens used by 40 million employees to access sensitive corporate and government networks relied on Adobe Flash code embedded in a Microsoft Excel document. Security reporter Brian Krebs recently reported that as many as 100 Fortune 500 companies may have been hit in the same attack.

Over the past year, Adobe has made significant improvements to the security of its software. Key among them is the sandbox it added to the latest version of Reader for Windows. It separates application functions from sensitive parts of the operating system, such as reading and writing to the hard drive. Adobe's ability to more quickly patch vulnerabilities under attack also appears to have improved.

But the current rash of exploits, however small and targeted, shows the continuing risks that come from running the software. With a plethora of document readers available, it's a good idea to switch to one that's less targeted. Windows users who must use the application should immediately switch to Reader X to avail themselves of the huge investment Adobe developers put into it. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Canadian taxman says hundreds pierced by Heartbleed SSL skewer
900 social insurance numbers nicked, says revenue watchman
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
Burnt out on patches this month? Oracle's got 104 MORE fixes for you
Mass patch for issues across its software catalog
Reddit users discover iOS malware threat
'Unflod Baby Panda' looks to snatch Apple IDs
Oracle working on at least 13 Heartbleed fixes
Big Red's cloud is safe and Oracle Linux 6 has been patched, but Java has some issues
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.