Current events: Adobe Reader Vulnerability

By sojc701 at 7:57 pm on February 20, 2009 | 7 Comments

Hackers are targeting a zero-day vulnerability affecting Adobe Reader and Acrobat with malicious PDF files. This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system. Hackers have been spreading malicious PDF files containing the Pidief Trojan. If a person opens the file, the Trojan attempts to exploit an unpatched processing error in Adobe Acrobat Reader 8 and 9, which results in a buffer overflow.

The bug is due to an error in the parsing of certain structures in PDF files. If exploited successfully, the bug could allow a hacker to take complete control of a vulnerable system. “In parsing a specially-crafted embedded object, a bug in the reader allowed the attacker to overwrite memory at an arbitrary location, The attacks, found in the field, use the infamous heap spray method via JavaScript to achieve control of code execution.” blogged McAfee researcher Geok Meng Ong.

In the meantime, security researchers at the Shadowserver Foundation recommend users consider disabling JavaScript. Symantec also recommended Adobe users keep their antivirus up-to-date. “While we continue to investigate this issue, customers are advised to follow best practices and only open email attachments from people they trust,” blogged Symantec researcher Patrick Fitzgerald. “Enabling DEP (Data Execution Prevention) for Adobe Reader will also help prevent this type of attack.”

Adobe acknowledged the zero-day in an advisory to customers calling it critical. It confirmed the flaw in Adobe Reader 9 and Acrobat 9 as well as Adobe Reader and Acrobat 8.1.3 and earlier versions. Adobe officials say a fix for the issue will be available for Adobe Reader and Adobe Acrobat in the coming weeks.

Filed under: Current Events7 Comments »


  • 1
    Get your own gravatar for comments by visiting

    Comment by sal

    February 20, 2009 @ 9:33 pm

    These type of vulnerabilities seem especially dangerous, as many people don’t realize that it is not only executable files can infect their computers and can open pdf files without any suspicion.

  • 2
    Get your own gravatar for comments by visiting

    Comment by liaowt

    February 21, 2009 @ 11:00 pm

    I do not know there are vulnerabilities on adobe Reader until I read this article. In this post, it mentions that “only open email attachment from people from people they trust”. This is a really hard practice for people.

    People like to search online for information. If the search engine finds a good resource of information, people would rather open it for information than think carefully about the security issue. Moreover, if this file is from some website with *.edu as the URL, I believe most of people will trust it. On the other hand, people can create a fake website and spoof people to open the malicious file for attacking victims’ computer.

  • 3
    Get your own gravatar for comments by visiting

    Comment by Matt

    February 27, 2009 @ 5:31 pm

    one of the main problems with a vulnerability like this is the size of the population using adobe reader/acrobat vs the size of the population who will take security advice into account and respond defensively. Unfortunately, the former set is far larger than the latter set, meaning no matter what recommendations are made concerning the use of DEP and disabling javascript are made. This highlights one of the greatest challenges in security engineering, which is how secure should a system be by default — all the more tricky since the average user will value (overtly) usability over security, and yet will not actively manage their system to mitigate the kinds of vulnerabilities which open up from the increased usability

  • 4
    Get your own gravatar for comments by visiting

    Comment by devynp

    February 27, 2009 @ 6:24 pm

    It looks like the bug only existed because of the JavaScript support in Adobe Reader. It is interesting that adding a new fancy feature, such as JavaScript, does not absolutely make the application better, but it also opens a new attack hole. Because of its JavaScript vulnerabilities, there may be more attacker who will be tempted to attack the JavaScript side of the Adobe Reader. Looks like Adobe needs to make a strong patch against more malicious attacks..

  • 5
    Get your own gravatar for comments by visiting

    Comment by Father_Of_1000000

    February 28, 2009 @ 12:26 am

    I’ve never thought an attack can happen with a PDF file. Looks like I shouldn’t ignore the Adobe Reader updates in the future anymore. How Adobe Reader does the update seems really annoying — it pops up after I boot up my computer. I would expect some kind of third party application (that’s not even used very often) to only suggest updating when I actually use it.

    Although I hear about all these email attacks and such, I’ve never gotten or even seen one in real life. Maybe they go into my spam box through Gmail’s filter.

  • 6
    Get your own gravatar for comments by visiting

    Comment by Michelle

    February 28, 2009 @ 1:28 pm

    Wow, I had no idea that a virus could come through PDF, I always thought they were “safe” – I’ll have to think twice next time I open a PDF file!

  • 7
    Get your own gravatar for comments by visiting

    Comment by alexmeng

    March 13, 2009 @ 6:58 am

    It’s interesting that in Adobe’s attempt to give more functionality to one of its product, Reader, it inadvertently exposed its users’ security on a level they didn’t expect. I wonder during the drafting of the specification of this feature for Reader if security was a point of concern when adding it. Potentially, if they did, they could have anticipated this occurring and done some hardening to prevent this vulnerability to surface?

    Overall, I believe this is a great example of illustrating the point that when integrating a new feature into a product, consider not only the functional aspect but also the security aspect as well. And all the other aspects needed when reviewing a new feature.

RSS feed for comments on this post