This time the vulnerability came out during Black Hat and it seems to be serious as Adobe are rushing out a patch for the issue.

This issue effects Adobe Reader client for Windows, Mac and UNIX based systems. This follows shortly after Microsoft pushed out an emergency patch for the .LNK exploit.

Adobe is rushing to develop a patch for a vulnerability in Acrobat Reader revealed at the Black Hat security conference. The update–expected the week of August 16–will be the third time this year that Adobe has been forced to fix flaws outside of its regularly scheduled quarterly update pattern.

Adobe published a security bulletin announcing the upcoming update for Adobe Reader 9.3.3 for Windows, Mac OS X, and UNIX, and Adobe Acrobat for Windows and Mac, as well as Reader and Acrobat version 8.2.3 for the same platforms to resolve a number of security issues. Adobe noted “that these updates represent an out-of-band release. Adobe is currently scheduled to release the next quarterly security update for Adobe Reader and Acrobat on October 12, 2010.”

Microsoft also released an out-of-band patch for the Windows shortcut vulnerability–only a week ahead of the planned Patch Tuesday updates. The rapid turnaround by Adobe from vulnerability discovery to patch is commendable, but the rise in zero-day exploits forcing both Adobe and Microsoft to frequently provide updates outside of the normal patch release cycle threatens to negate the benefits of having a regularly scheduled patch release system.

The issue being addressed by Adobe is a vulnerability in Adobe Reader which was unveiled at Black Hat by security researcher Charlie Miller. Miller has made a name for himself by repeatedly winning the Pwn2Own contest at the CanSec West security conference.

Charlie Miller has rocked it out before at Pwn2Own (more than once) and it was him who unveiled this vulnerability at Black Hat in recent weeks. Adobe have been criticized in the past for not being pro-active enough in their security efforts and coming out with classics like “Wait until year end for security patches”. This is also mentioned in another Network World article published at the same time here.

At least they are jumping to attention this time and doing something about it. And don’t be fooled, this is a serious exploit that can lead to arbitrary code execution when a vulnerable user views a maliciously crafted PDF file containing this exploit.

A Secunia advisory related to the Adobe flaw explains “The vulnerability is caused due to an integer overflow error in CoolType.dll when parsing the “maxCompositePoints” field value in the “maxp” (Maximum Profile) table of a TrueType font. This can be exploited to corrupt memory via a PDF file containing a specially crafted TrueType font.”

Summed up in plain English that IT admins and users who are not developers can understand, Secunia adds “Successful exploitation may allow execution of arbitrary code.” Bottom line: an attacker could exploit the Adobe Reader flaw to take control of a vulnerable system and install or execute other malicious software.

Interestingly, it is a flaw in the way fonts are rendered in PDF documents that allows the JailbreakMe Web site to circumvent iPhone defenses and alter the core functionality of the smartphone OS. However, according to Miller the flaws are unrelated to one another. Thankfully, Apple is hard at work updating iOS to address that issue.

As mentioned in the last paragraph the web based jailbreak for Apples latest iOS is also using a PDF flaw as the base exploit to run the jailbreak.

It seems like PDF is breaking in all kinds of different ways, perhaps time to look for a format? Or at least use other PDF readers as we’ve suggested before with Foxit! Although it has a share of vulnerabilities too they are far fewer and less serious than those in Adobe software. Another option suggestion is Nuance PDF Reader.

Source: Network World

Another flaw in the Adobe product suite! It seems like PDF is turning into a complex animal, complexity of course always brings more security issues.

It was only back in February last year when there was a bug in Adobe Reader, and almost exactly a year later another one.

This time it’s a zero-day just hit and it is being actively exploited, with the worrying statement made that the fix will come in the ‘following weeks‘.

Hackers are targeting a zero-day vulnerability affecting Adobe Reader and Acrobat with malicious PDF files. Adobe officials say a fix for the issue will be available for Adobe Reader and Adobe Acrobat in the coming weeks.

Hackers have once again turned to PDF files to spread their wares, this time assaulting a zero-day flaw affecting Adobe Reader and Acrobat.

Fortunately, the unpatched bug is on the company’s radar, and fixes for Adobe Reader 9 and Acrobat 9 are slated to be available March 11. Updates for earlier versions will come later, company officials said in an advisory.

The bug is due to an error in the parsing of certain structures in PDF files. If exploited successfully, the bug could allow a hacker to take complete control of a vulnerable system.

Ok March 11th, only about 3 weeks to get a fix for a potentially very serious problem. Allowing complete control over the system, with the majority of people still using the Administrator account to user their computers on a day-to-day basis – that’s not good.

I don’t see how patch management will help here either, the patch won’t be out until 3 weeks after the exploit has become public. With attacks being targeted initially, and becoming more wide spread I would have thought immediate patching would have been more suitable.

“In parsing a specially-crafted embedded object, a bug in the reader allowed the attacker to overwrite memory at an arbitrary location,” blogged McAfee researcher Geok Meng Ong. “The attacks, found in the field, use the infamous heap spray method via JavaScript to achieve control of code execution.”

“While the distribution of this exploit thus far appears to be targeted, new variants are expected as more information is made public,” the researcher continued. “As with the Conficker experience, the lack of good patch management is a very worrying trend that deserves more attention from IT security practitioners. Adobe is expected to release a patch very soon.”

In the meantime, security researchers at the Shadowserver Foundation recommend users consider disabling JavaScript. Symantec also recommended Adobe users keep their antivirus up-to-date.

“While we continue to investigate this issue, customers are advised to follow best practices and only open email attachments from people they trust,” blogged Symantec researcher Patrick Fitzgerald. “Enabling DEP (Data Execution Prevention) for Adobe Reader will also help prevent this type of attack.”

There are some measures to can take to combat the problem, if you’re using Adobe on a corporate network you might want to think about pushing out some changes via Group Policy.

And well once again, another reason to use Foxit! PDF Reader.

Source: eWeek