[Last Call] Learn how to a build a cloud-first strategyRegister Now


Trojan Security Vulnerability : targetted attacks on Adobe Acrobat Reader : catch 21

Posted on 2009-02-20
Medium Priority
Last Modified: 2012-05-06

The security team from HQ issued us the following security alert but
 if we disabled Adobe Javascript (see attached picture/screen shot),
 will it  disable (or create issues) which prevent us from using Adobe
 to read Pdf files?

Any workaround or suggestion that will satisfy the security team and
users of Adobe are most appreciated.


[ Summary ]
A vulnerability was reported in Adobe Acrobat Reader that when successfully
exploited, allows a remote attacker execute arbitrary code.

An attacker can exploit this issue to execute arbitrary code with the
privileges of the user running the affected application or crash the
application, denying service to legitimate users.

The exploit is delivered as a specially crafted PDF document that when
triggered, several executable files that are embedded inside the malicious
PDF document would be installed.

Symantec detects this attack as:

[ Affected Systems ]
     Adobe Acrobat Reader 9
     Other versions may also be vulnerable

[ Solution/Workaround ]
There is no patch available from the vendor yet. Please implement the
following workarounds and mitigation measures where applicable.

  Remind users to be vigilant when handling email attachments (PDF
  documents in particular), especially from unsolicited and untrusted
  Remind user not to follow links provided by unknown or untrusted source.
  Keep anti-virus signatures updated.
  Run Adobe Acrobat Reader as a non-privileged user with minimal access
  Disable JavaScript for Acrobat Reader (NOTE: Disabling JavaScript will
  cause a loss in functionality and cause malicious PDFs to crash Reader.
it will protect users from exploitation.)
  (Embedded image moved to file: pic25918.jpg)

[ Reference ]
Question by:sunhux
  • 2

Assisted Solution

unSpawn earned 600 total points
ID: 23699612
> if we disabled Adobe Javascript (..),  will it disable (or create issues) which prevent us from using Adobe
 to read Pdf files?
Disabling Adobe Javascript may create issues when certain functionality is required inside PDF files (think validation in interactive forms). Disabling Adobe Javascript should *not* hinder reading "plain" PDF files.
Given the nature and severity of the vulnerability IMHO one shouldn't look for "workarounds". In addition to what your HQ Security Team adviced already please see the CERT advisory (find link in the Securityfocus BID references) for additional measures. * There's at least one PDF reader that installs *without* Javascript functionality: you have to install a separate module. Unless you regularly require Adobe Javascript, Foxit may provide a usable alternative.
LVL 12

Accepted Solution

jahboite earned 1400 total points
ID: 23699617
Disabling javascript in Reader will only prevent pdf files with embedded javascript from working as intended.
In terms of reading plain old pdf files there is no impact whatsoever.

I've had javascript disabled since the first time a vulnerability was discovered in the javascript engine in Reader and I've never noticed the lack of javascript - I don't think I've ever come across one with an embedded video or any other reason to allow javascript.

Javascript is used to perform Heap Spraying to improve the chances that the Reader exploit will work and disabling javascript in Reader will prevent this heap spray.  This means that, should you open such a malicious pdf, the exploit attempt will still be executed, but will very likely be unsuccessful and will cause Reader to crash.

This exploit isn't widespread at the moment and it seems to be targetted quite specifically at high value targets, but regardless of this fact, disabling javascript will help mitigate this threat should you be one of these high-value targtes and for later when the exploit gets picked-up and used by others.

It could be the middle of March before we see a patch for this issue, so my advice: Disable Javascript and keep an eye open at http://www.adobe.com/support/security/advisories/apsa09-01.html

Author Comment

ID: 23700617

Is there any way to centrally and remotely disable Adobe Javascript, without going
to individual users' PC to manually set/check it?

This is one decision I have to make because if it's too much of an effort and manually
going to each PC to do it, then might as well wait for the patch to be available in mid
Mar 09 and then push down the patch
LVL 12

Assisted Solution

jahboite earned 1400 total points
ID: 23700779
Good Question.  It's possible to deploy reader with GPO and the distribution package can be customised with transfromations generated with the Adobe Customization Wizard http://www.adobe.com/products/acrobat/solutions/it/index.html so in theory at least, you should be able to redeploy Reader with a custom set of preferences.  Whether you can modify already deployed installations I just don't know.
Have a look at http://www.adobe.com/devnet/acrobat/enterprise_deployment.html and there's a good pdf for Reader 8 at http://www.adobe.com/devnet/acrobat/pdfs/gpo_ad_8.pdf

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

An overview of cyber security, cyber crime, and personal protection against hackers. Includes a brief summary of the Equifax breach and why everyone should be aware of it. Other subjects include: how cyber security has failed to advance with technol…
Ransomware - Defeated! Client opened the wrong email and was attacked by Ransomware. I was able to use file recovery utilities to find shadow copies of the encrypted files and make a complete recovery.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question