Adobe Preps PDF Patches for Reader

Adobe on Thursday will announce the patches it plans to deliver next week for its PDF software, a part of its quarterly security update process.

The impending updates will come on the heels of Adobe urging users yesterday to beef up defenses in Reader and Acrobat. The company also said it may issue a patch for the design flaw, which lets attackers run executable code on a Windows PC from a malformed PDF without needing to exploit an actual vulnerability .

It's unlikely that the patch will appear next week, however.

Like Microsoft , Adobe notifies users prior to issuing security updates for its Adobe Reader and Adobe Acrobat programs, providing bare-bones information to give consumers and corporate administrators a heads-up. Adobe will issue patches for Reader and Acrobat on Tuesday, April 13, the same day Microsoft will also release updates for its operating system and other software.

There are no publicly-known unpatched security vulnerabilities in Adobe Reader and Acrobat, according to the Danish bug-tracking firm Secunia. Any updates next week, then, will address privately-reported vulnerabilities or bugs Adobe's own security engineers have uncovered.

But there is the PDF design issue. Last week, Belgium researcher Didier Stevens demonstrated how a multi-stage attack using the PDF specification's "/Launch" function could successfully exploit a fully-patched copy of Adobe Reader.

Stevens' technique did not require an underlying vulnerability in Adobe Reader, but instead relied on a social engineering approach to dupe users into opening a malicious PDF. The PDF document contained attack code, which Stevens was able to execute by using the /Launch function. Although Reader and Acrobat display a warning when an executable inside a PDF file is launched, Stevens found a way to partially modify the alert to further trick a potential victim into approving the action.

Using Stevens' tactic, hackers would be able to exploit an up-to-date copy of Adobe Reader.

Last week, Adobe acknowledged that Stevens' strategy used a legitimate feature built into Reader and Acrobat, and said it was investigating his claims. At the time, the company declined to say whether it planned to update its software in response.

Yesterday, Adobe softened somewhat, saying it had not ruled out a patch. "We're always looking at options," said company spokeswoman Wiebke Lips. "There are a few options to potentially further protect users." Among those options, she said, was a security update that would patch Reader and Acrobat. Lips declined to commit Adobe to a patch or timetable if the company decides to craft one.

Earlier Tuesday, an Adobe manager echoed Lips . "We are currently researching the best approach for this functionality in Adobe Reader and Acrobat, which we could conceivably make available during one of the regularly scheduled quarterly product updates," said group product manager Steve Gottwals in an entry on a company blog.

Gottwals also pointed out that consumers and corporate IT administrators can block Stevens-style attacks by rejiggering Reader and Acrobat. By clearing a box marked "Allow opening of non-PDF file attachments with external applications" in the programs' preferences pane, consumers can stymie attacks. By default, Reader and Acrobat have the box checked, meaning that the behavior Stevens exploited is allowed.

Administrators can force users' copies of Reader and Acrobat into the same state by pushing a change to Windows' registry, Gotwalls added.

While there are no unpatched PDF vulnerabilities on the loose in the public domain, Adobe does have work to do, a prominent researcher said two weeks ago at the security conference where he won a $10,000 prize for hacking Apple 's Safari browser.

According to Charlie Miller, the only hacker to ever "three-peat" at the Pwn2Own contest , Adobe Reader has at least three, possibly four, unpatched exploitable vulnerabilities.

At the same security conference that hosted Pwn2Own, Miller walked others through the "dumb fuzzing" process he used to root out 20 vulnerabilities in products from Adobe, Apple, Microsoft and OpenOffice.org. Rather than hand over details of the bugs he found to those vendors, Miller urged the companies to find the flaws themselves by replicating his methods.

During Miller's investigation, he ran more than three million PDF documents through his fuzzers -- automated tools that stress-test file formats to uncover possible flaws -- and found four he said were exploitable. At least one of those he called "a nasty bug" because it accounted for more than 30 crashes in a single fuzzed file.

Although representatives from Adobe, Apple and Microsoft were at the CanSecWest conference where Miller presented his findings, only Microsoft's approached him afterward to ask questions about how to duplicate his work, Miller said.

Over Twitter , however, Miller and Brad Arkin, Adobe's director for product security and privacy, traded tweets. "Call me egotistical, but give me 2 years on the Reader team and I'd make a pretty solid proggie," Miller boasted last week in a reply to Arkin.

"Send me your proposal and rate. If you've got a compelling plan I'll be happy to pay for your services," Arkin said later.

When asked after the Twitter exchange if he was taking Adobe's challenge seriously, and would go to work for the company, Miller said, "No, just saying I could make that program solid. They couldn't afford me."

Adobe will release its Reader and Acrobat patch plans Thursday at around 1 p.m. ET.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld . Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com .

Read more about security in Computerworld's Security Knowledge Center.

Subscribe to the Security Watch Newsletter

Comments