Adobe Patches Critical Zero-day, Better Late than Never
Last updated on: September 7, 2020
Yesterday, one day ahead of the initial schedule Adobe released a patch for a critical vulnerability in Adobe Reader 9. Patches for v8 and v7 are expected next week, a version for Unix in another 2 weeks. The vulnerability (APSA09-01) can be used by an attacker to take control of the affected system. Targeted exploits had been reported by a number of security companies (Symantec, McAfee) in February.
Adobe was first notified of the problem in January and has been working for the last 2 months to develop and test the patch and is finally ready to get it out to its users. According to our data Adobe Reader is a widely installed software package and I would expect that most PCs have a copy of it. 2 months is a rather long time to address the issue and it makes me wonder whether Adobe has a setup to react to security flaws, without going through normal product cycles. Vulnerabilities of such magnitude need to be handled out-of-band, through a dedicated team that has the resources to quickly develop, test and publish the fix.
If you are still not convinced that this is a highly critical security flaw, I suggest that you take a look at Didier Stevens’s blog, where he demonstrates in a video a number of ways to infect a vulnerable machine by just looking at an infected document and another way that uses the Windows Indexing Service to run the exploit and give control of the machine to the attacker. This latter one requires no user action at all.
Apparently disabling JavaScript is/was a partial work-around for the vulnerability. Given that JavaScript in Adobe Acrobat has its own share of vulnerabilities in the past, it seems reasonable to turn it off by default. I have now been running without JavaScript in my Adobe Reader for months and I have not noticed any adverse effects in my typical office oriented usage. In my opinion this is now becoming a best practice security setting, that should only be relaxed based on end-user needs, for example for online form usage or workflow automation.
We will monitor closely the adoption of the patch, however considering that so far my Adobe Reader has not prompted me to upgrade my software I am doubtful the adoption will be quick enough. Stay tuned…
References:
- Adobe Advisory APSB09-03
- Didier Steven’s Blog – March 4th: contains the video referenced
- Didier Steven’s Blog – March 9th: Windows Indexing Service exploit