Feeds

Military contractor warns of new Adobe Reader exploit

Attacks already under way

The Essential Guide to IT Transformation

Attackers are exploiting a vulnerability in the latest versions of Adobe Reader and Acrobat applications to hijack computers running Microsoft Windows, Adobe warned on Tuesday.

The vulnerability, which corrupts memory involved with the U3D, or Universal 3D, file format, was reported by members of Lockheed Martin's computer incident response team and the Defense Security Information Exchange. Both groups monitor security threats affecting military contractors and organizations. Adobe's advisory said the bug is reportedly “being actively exploited in limited, targeted attacks in the wild,” but didn't elaborate.

While attackers are exploiting only Reader 9.x on Windows, all supported versions of Adobe Reader and Acrobat are vulnerable.

Adobe will ship an emergency update no later than the end of next week for Reader 9.x and Acrobat 9.x. Remaining updates for Reader X and Acrobat X, and versions that run on the OS X and UNIX operating systems will be delivered on January 10, the date of Adobe's next scheduled patch release. Brad Arkin, Adobe's senior director of product security and privacy, said a security sandbox built into Reader X prevented attacks from executing malicious code, and that versions written for non-Windows systems aren't being targeted.

“Focusing this release on just Adobe Reader and Acrobat 9.x for Windows also allows us to ship the update much earlier,” he wrote in a blog post. “We are conscious of the upcoming holidays and are working to get this patch out as soon as possible to allow time to deploy the update before users and staff begin time off. Ultimately the decision comes down to what we can do to best mitigate threats to our customers.”

The phrase “limited, targeted attacks in the wild” has often been used to describe exploits directed at military contractors and other companies known to possess information that's critical to national security. An attack that extracted sensitive information about RSA SecurID authentication tokens used by 40 million employees to access sensitive corporate and government networks relied on Adobe Flash code embedded in a Microsoft Excel document. Security reporter Brian Krebs recently reported that as many as 100 Fortune 500 companies may have been hit in the same attack.

Over the past year, Adobe has made significant improvements to the security of its software. Key among them is the sandbox it added to the latest version of Reader for Windows. It separates application functions from sensitive parts of the operating system, such as reading and writing to the hard drive. Adobe's ability to more quickly patch vulnerabilities under attack also appears to have improved.

But the current rash of exploits, however small and targeted, shows the continuing risks that come from running the software. With a plethora of document readers available, it's a good idea to switch to one that's less targeted. Windows users who must use the application should immediately switch to Reader X to avail themselves of the huge investment Adobe developers put into it. ®

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Tor attack nodes RIPPED MASKS off users for 6 MONTHS
Traffic confirmation attack bared users' privates - but to whom?
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.