Security Advisory for Adobe Reader and Acrobat

Discussion in 'other security issues & news' started by ronjor, Dec 6, 2011.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,764
    Location:
    Texas
    https://www.adobe.com/support/security/advisories/apsa11-04.html
     
  2. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    Here we go again! Thanks Ron! ;)

    TH
     
  3. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    2,825
    Thanks for the heads up Ron.

    Cheers.
     
  4. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Their sandbox solves this issue.
     
  5. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,049
    Location:
    USA
    It's the best thing Adobe ever did. Now if they could add it to everything...
     
  6. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
  7. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    IS protected mode not on by default or something? If not, why?
     
  8. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    It should be enabled by default.

    -edit-

    At the image of Internet Explorer, users can disable it, though. And, if users can do it, so can malware. What's there to stop an exploit from actually managing to break out of the sandbox, and then disable Reader's sandbox for future attacks? Or even malware downloaded through e-mail, etc.

    I'd do that, if I knew how. lol
     
    Last edited: Dec 6, 2011
  9. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Malware can't turn it off from within the sandbox though... that wouldn't make much sense.
     
  10. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,853
    Damn I think it might be time to switch back to Adobe Reader with that protected mode... I'll wait and see if Windows 8 beta has it built in.
     
  11. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    That's not what I said...

    I said/asked... What's there to stop an exploit from actually managing to break out of the sandbox, and then disable Reader's sandbox for future attacks? Or even malware downloaded through e-mail, etc.

    -edit-

    I'm not talking about an exploit attacking this vulnerability; it could be any other attacking future known vulnerabilities. I'm saying that the sandbox isn't 100% effective, as it's only code and will have flaws for sure. Making it possible to disable Protected Mode from within user land... I don't like that.

    Then again, if an exploit comes out attacking this vulnerability and if you're hit by it, we can't be 100% confident that Protected Mode will stop it. It should/would, but no guarantees. Software developers are always careful with their words; they never give 100% guarantees, as they don't know it either.
     
  12. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Oh I see. Yeah, nothing I guess. I would think you'd need admin access to do it but I'm not familiar with Adobe Reader - I just use Chrome to view PDF files.
     
  13. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I just disabled Adobe Reader's Protected Mode using regedit.exe under HKCU.

    Does anyone know if there's any ADM template for Adobe Reader? Maybe one could make administrators being the only ones able to disable it.

    I did a little search, but came out empty. If they got it, it's very well hidden. :argh:

    -edit-

    I found this non-official -http://sourceforge.net/projects/customadmx/

    I'll take a look.
     
  14. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    They should stop users from being able to disable it. The thing is that once malware is on the system there's not a lot you can do anyways.

    I agree that it's an issue but I don't see it being too big. I'm pretty sure malware can just run Chrome with the command flag to disable the sandbox as well.

    They just don't really need to because once they're on the system they can create a connection of their own.
     
  15. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    But, if you could make the user break them from the outside, say by opening an e-mail file, wouldn't you rather do it? Because, at this point you'd only have the same rights as the user, but by breaking the sandboxes, you could lately spread an exploit making use of a privilege escalation bug.

    Maybe I got a very peculiar way of thinking... lol
     
  16. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    From mitigations in the advisory
     
  17. Ranget

    Ranget Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    846
    Location:
    Not Really Sure :/
    i wonder if other readers are effected by that
     
  18. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Adobe responds to the zero-day

    More
     
  19. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    There has been none reported, Sumatra, etc.

     
  20. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  21. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    1,957
    Location:
    DC Metro Area
    Espionage network exploiting Adobe Reader flaw
    By InfoWorld Tech Watch
    Created 2011-12-09 10:21AM

    The Adobe vulnerability has fueled the spread of a spy program targeting corporate and government secrets, says security firm Symantec

    Espionage network exploiting Adobe Reader flaw

    Adobe warned users of its Reader software earlier this week that attackers were using a critical vulnerability in the program to enable "limited, targeted attacks." Today security firm Symantec provided details of the attacks, which appear to have been well-funded efforts aimed at stealing secrets from specific industries and government agencies in the United States and United Kingdom.

    The attacks used crafted e-mails designed to look like personal communications to specific managers or executives at the targeted organization, the company states in its brief analysis [1]. Once the PDF attachment is opened, a Trojan -- dubbed "Sykipot" by Symantec -- infects the system using the vulnerability. Once a system is compromised, it communicates with a network of command-and-control servers hosted on at least a dozen and perhaps more than 50 domains.

    "While the back door Trojan itself isn't very sophisticated or well-coded, the attackers are skilled enough to have discovered multiple zero-day vulnerabilities," the security firm states. "Given the long list of command-and-control servers being used for controlling the botnet, the attackers are unlikely to be a single person, but rather a group of people."

    In March 2010, the same group used a zero-day flaw in Internet Explorer to further its attacks on targets, Symantec says. While the latest attacks appeared to only target Windows systems, the critical vulnerability in Adobe Reader affects Windows, Mac OS X, and Unix, according to Adobe's advisory [2]. Adobe expects to patch the vulnerability the week of Dec. 12.

    The attacks have targeted defense contractors, telecommunications firms, computer-hardware makers, chemical companies, and energy utilities, as well as government agencies, Symantec states. The company would not speculate who was launching the attacks against the sensitive networks, but found evidence that the attacks have lasted at least two years and perhaps as far back as 2006.

    "These attacks have been long running, persistent, and targeted, leading us to believe that the attackers are well-funded and motivated to acquire specific, high-value information," the company states in its analysis.

    While linking such attacks to any particular nation or adversary is difficult, the samples of the Sykipot Trojan analyzed by Symantec contained error messages in Chinese.

    http://www.infoworld.com/t/malware/espionage-network-exploiting-adobe-reader-flaw-181377
     
  22. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,764
    Location:
    Texas
  23. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    I don't know about the reader, but disabling it Acrobat is essential for me. I tried turning it on, and everything I wanted to do to a PDF file was blocked. Had to turn it back off. I need sanboxing I just open it in SBIE.
     
  24. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,764
    Location:
    Texas
  25. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Last edited: Jan 12, 2012
Loading...
Thread Status:
Not open for further replies.