We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,108 News Articles

Adobe to take four weeks to patch zero-day flaw

Critical flaw fixed on 12 January 2010

Even though the attack code has been publicly released, Adobe has said it will be another four weeks before it patches the newest critical vulnerability in Adobe Reader and Adobe Acrobat - its PDF viewing and editing software.

In an update yesterday to the security advisory it issued Tuesday, Adobe set the patch date as Jan. 12, 2010, which is also the next regularly scheduled quarterly security update for Adobe Reader and Adobe Acrobat. Most of the advisory was dedicated to confirming the bug - which the company had first disclosed late Monday - and providing instructions for blacklisting the JavaScript API call that contains the flaw.

Other security experts have urged users to disable JavaScript in Reader and Acrobat to protect themselves until Adobe ships a fix.

The story so far:

Adobe's plan to patch next month means that most users will be at risk until then, as researchers have already crafted a working, if not always reliable, exploit for the vulnerability.

HD Moore, the creator of the open-source Metasploit penetration testing framework, and chief security officer for security company Rapid7, said yesterday that he had worked up attack code for the Reader/Acrobat zero-day bug. "We managed to get the exploit sorted out faster than I thought," said Moore in an email to Computerworld yesterday. "It's now available through the online update feature of Metasploit."

He also announced the exploit module's availability via his Twitter feed.

The exploit is not 100% reliable, however. In a reply to a tweet asking why the Metasploit exploit module wasn't working for one user, Moore explained: "tricky bug and some non-English locale's overlap with the heap spray, we should have an update soon."

Unlike other penetration testing frameworks - such as CANVAS, which is developed by Miami Beach-based Immunity - the open-source Metasploit doesn't charge for its exploits. That lets hackers, as well as legitimate security researchers, get their hands on working attack code.

The appearance of an exploit on Metasploit increases the chance that widespread attacks will begin, said Joshua Talbot, a security intelligence manager in Symantec's security response team. "An exploit in Metasploit lets hackers build on that code," said Talbot, referring to the leg-up attackers receive from Moore's work.

For his part, Moore defended Metasploit's practice of providing working exploits to anyone. "Since the bug is 1) public and 2) widely exploited, we feel that adding an exploit module is the right thing to do, as it provides a safe way for folks to verify that their mitigation efforts actually work," Moore said in a Tuesday email.

Hackers are already exploiting the Adobe bug in the wild, said Symantec's Talbot, although the volume of attacks remains low and the campaign has targeted a relatively small number of people. Those users have received email messages with attached PDF files masquerading as briefing notes or interview requests from the CNN cable news channel.

According to the Contagio malware dump website, which posted several examples of attack messages, the Adobe bug has been actively exploited since at least November 30.

The targeted attacks have used the Reader/Acrobat vulnerability to drop information-stealing malware onto victims' PCs, said Symantec in its technical write-up of the attack code.

When it issues the update next month, Adobe will post it to its security support site.

Related articles:

Adobe leaves zero-day attack unpatched for a month

Computerworld.com


IDG UK Sites

Windows 9 release date, price, features: Microsoft teases new OS ahead of 30 September unveiling

IDG UK Sites

From the iPhone 6 to the iWatch and a new Apple TV we look at the products Apple is set to launch...

IDG UK Sites

September 2014 creative trends: 5 things you must see

IDG UK Sites

What to expect from Apple in autumn/winter 2014: iPhone 6, iPhone Air, iWatch, iPad 6, new Apple...