Adobe to release emergency patches for Reader, Acrobat

Adobe is to release security patches for two critical vulnerabilities being exploited by hackers in targeted attacks

Adobe plans to release security patches for two critical vulnerabilities in Reader and Acrobat that are being exploited by hackers in targeted attacks.

The vulnerabilities could cause the applications to crash and potentially allow an attacker to take control of the affected system, the company warned in an advisory.

Adobe said attacks exploiting the vulnerabilities are designed to trick Windows users into clicking on a malicious PDF file delivered in an email message.

No specific date has been given for the release of the security updates, but the company said the patches would be available this week.

Adobe issues monthly patches on the second Tuesday of the month, but the company will release emergency fixes out of its normal schedule for vulnerabilities that pose a significant threat to users.

High-level malware threat

Security firm Kaspersky Lab has warned that the Adobe Reader exploit and the malware it installs are extremely high level and potentially state sponsored, according to US reports.

The firm’s researchers said the exploits are being used to gain arbitrary code execution privileges and escape from the Adobe Reader 10 and 11 sandbox, a technology designed to contain attempts to install malicious software.

The exploit works on Windows 7, including the 64-bit version of the operating system, and bypasses the Windows address space layout randomisation (ASLR) and data execution prevention (DEP) anti-malware systems, the Kaspersky researchers said.

The exploit also drops and executes a malware downloader component that connects to a remote server and downloads two additional components. These two components steal passwords and information about the system configuration, and can also log keystrokes.

The communication between the malware and the command-and-control server is compressed and then encrypted with Advanced Encryption Standard (AES) using RSA public-key cryptography.

More on PDF security

  • How to secure a .pdf file
  • Security policy for PDF use: How to secure PDF files for the enterprise
  • PDF document security: A look inside Google Chrome PDF viewer
  • Enterprise PDF attack prevention best practices
  • Adobe beefs up PDF Reader security with sandbox

Use Protected View to secure systems

Until the security updates are released, Adobe said users of Reader 11 and Acrobat 11 for Windows can protect themselves from this exploit by enabling Protected View.

To enable this setting, choose the "Files from potentially unsafe locations" option under the Edit > Preferences > Security (Enhanced) menu.

Enterprise administrators can protect Windows users across their organisation by enabling Protected View in the registry and propagating that setting via Group Policy (GPO) or any other method.

The vulnerabilities – CVE-2013-0640 and CVE-2013-0641 – affect Adobe Reader and Acrobat versions 9 to 9.5.3, 10 to 10.1.5, and 11 to 11.0.1.

Adobe plans to make available updates for Windows, Macintosh and Linux operating systems.

Adobe also recently released security updates for its Flash and Shockwave software that fixed a total of 19 vulnerabilities, in addition to an emergency update for Flash Player to fix two vulnerabilities that were being exploited by attackers.

Image: Thinkstock

Read more on Hackers and cybercrime prevention