Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Adobe plugs 6 critical holes in Reader

Also gives IT admins more control over PDF docs' oft-exploited JavaScript

Adobe on Tuesday patched six vulnerabilities in the newest version of its popular Reader PDF viewer, making good on a late-2011 promise when it shipped an emergency update for an older edition.

That update addressed bugs that attackers had exploited with rigged PDF documents emailed to a large number of companies, including major U.S. defense contractors last December, probably as part of an effort to steal confidential information. Researchers found clues in the attack tactics and exploit code that pointed to Chinese hacker involvement.

While Adobe patched Reader 9 on Windows almost a month ago, it deferred updates for Reader 10 on all platforms, and for Reader 9 on Mac and Linux. The exploits would fail if aimed at Reader 10 because of that version's protective "sandbox" technology, Adobe said, and Mac and Linux users were in little danger because attackers were focused on Windows PCs.

Tuesday's update patched not only the two known bugs but also four others. Adobe rated all six as critical, saying in an accompanying advisory that they could give hackers the openings necessary to hijack a computer or infect it with malware.

The four previously-undisclosed bugs were reported by researchers from Google's security team, the Danish vulnerability tracking firm Secunia and HP TippingPoint's bug bounty program.

The most up-to-date edition for Linux, version 9.4.7, includes patches for just the two vulnerabilities disclosed last month.

Those already-being-exploited vulnerabilities had been reported to Adobe by Lockheed Martin, one of the U.S's largest aerospace and defense contractors, and the Defense Security Information Exchange (DSIE), a group of defense contractors that share cyber-attack intelligence.

Adobe also added a new security feature to Reader 9.5 and 10.1.2 -- the designations for the patched versions released Tuesday -- that lets company IT administrators disable JavaScript in some PDFs while allowing it to function in others.

According to Steve Gottwals, Reader's group product manager, the new "whitelisting" feature allows administrators to switch off JavaScript in all PDFs except those that are designated as "trusted."

"If a document is trusted, JavaScript execution will be allowed; but if it is untrusted, Adobe Reader and Acrobat will prevent all JavaScript execution," said Gottwals in a blog post yesterday. "The trust decision is based on Privileged Locations."

Previously, administrators could only switch JavaScript on or off.

Security experts applauded the additional flexibility Tuesday.

"The better manageability lets you turn [JavaScript] off, but allows it to work on documents from certain sites, like those within the organization," said Wolfgang Kandek, chief technology officer at Qualys. "I think it's a very useful feature for enterprises."

JavaScript has been the source of numerous Reader vulnerabilities over the years, and has remained a common way for hackers to compromise PCs, plant malware and steal information via malicious PDFs.

Several of the emergency patches Adobe issued for Reader in 2010, for instance, were due to JavaScript vulnerabilities, while as long ago as 2008, one researcher said Adobe suffered from an "epidemic" of JavaScript bugs.

Both Reader 9.5 and Reader 10.1.2 on Windows and Mac OS X include the new JavaScript whitelisting feature; however, version 9.4.7 for Linux does not.

The updated editions of Reader for Windows and Mac OS X can be downloaded from Adobe's support website. Current users can run the programs' integrated update tool or wait for the software to prompt them that a new version is available.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer , or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com .

Read more about security in Computerworld's Security Topic Center.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: Adobe, Apple, Google, Hewlett-Packard, HP, Linux, Lockheed Martin, Microsoft, Qualys, Secunia, Symantec, TippingPoint, TippingPoint, Topic
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: Cybercrime and Hacking, Google, Malware and Vulnerabilities, security, symantec
Latest Blog Posts
Whitepapers
  • Top 10 Mistakes in Data Centre Operations: Operating Efficient and Effective Data Centers
    For years, the data centre industry has accepted that human operational error, not poor data centre design or engineering, is the number one cause of data centre downtime. Now is the time for companies to evaluate their data centre operations programs. They must be able to clearly articulate operational requirements and design an operations program based on the risk profile of the data centre. However, the road to creating an industry-best operations program will not be easy, especially for those companies whose core expertise is not in business critical facilities. Read on.
    Learn more »
  • So Long, Silos: Why Multi-Domain MDM Is Better For Your Business
    Say “so long” to silos. This white paper explains why a multi-domain MDM solution is far better than single-domain, single-focused point solutions. You’ll learn what to look for in a multi-domain solution so you don’t outgrow it or are forced to purchase multiple products down the road. You’ll also get tips on how to select a multi-domain solution that can lead to multiple benefits over many years. The age of multi-domain MDM is here. See why you should say “hello” to it!
    Learn more »
  • Oracle Business Process Analysis Suite
    Careful analysis and continuous optimization of business processes delivers real competitive advantage. Conversely, a random approach to process design negatively impacts a company’s bottom line. This insight is one reason successful companies adopt business process management (BPM) as a way of aligning their business processes with business and customer requirements. Success with BPM eliminates the gap between business strategy and implementation. Business users are empowered to participate in all stages of the business process lifecycle. Closed-loop integration between modeling, execution, and monitoring enables continuous and holistic business process improvement.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.