Security Bytes

Feb 24 2009   4:30PM GMT

Adobe zero-day threat limited so dont panic

Robert Westervelt Robert Westervelt Profile: Robert Westervelt


The sky is not falling.

Shadowserver Foundation volunteers Steven Adair and Matt Richard sounded the alarm about an Adobe JavaScript zero-day flaw last week. They should be commended for their volunteer work. There’s no doubting the importance of researchers calling out flaws so vendors can quickly fix their products. Adobe responded and will issue a patch by March 11.

Just as some places have a law against shouting “fire” in a crowded theater, those responsible for issuing warnings and protecting customers need to take heed. Those who write about flaws should be clearly explaining the threat level so readers can assess the risks. Too many times the threat is clouded making risk assessment extremely difficult.

First, there’s a workaround to the Adobe zero-day — disable JavaScript. Yes, that’s easier said than done since it could break critical applications at some businesses.

Second, the threat is minimal — extremely minimal. Security vendors that track these threats are not releasing infection estimates. Hmm. I wonder why? Kevin Haley, director of security response at Symantec told me the attacks began appearing in the wild in Japan. They have been spreading slowly for several reasons. The attack has been largely unsuccessful. The malicious Adobe file is spreading in an email message that can be detected as malicious and filtered out. And the message being sent is detected as spam in most cases. The threat can also spread if a user visits a website hosting a malicious PDF file. This can be mitigated by disabling Internet Explorer from auto-opening PDF files.

If your firm can’t handle the increased risk, Sourcefire released a homebrew patch for Adobe 9 users. There’s no guarantee the patch will block an attack. But if your users are using common sense and opening Adobe files from only trusted users and other protections are in place, the risk of infection should be minimal until Adobe issues an update plugging the hole.

There’s no doubt the risk level increases over time when new variants exploiting the code show up in the wild.

Is this a good time to mention Foxit Reader or other alternative PDF readers?

UPDATE:…….Danish vulnerability clearinghouse Secunia says disabling Javascript will not prevent exploitation:
Over the last couple of days, we have seen many sources recommend users to disable support for JavaScript in Adobe Reader/Acrobat to prevent exploitation. While this does prevent many of the currently seen exploits from successfully executing arbitrary code (as they rely on JavaScript), it does not protect against the actual vulnerability.

2  Comments on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • Robert Westervelt
    Thanks for your comment Anonymous. Do you work for a security vendor? You sound like one. All your points are valid. We all know the limitations of antivirus. The details about Javascript not being the only means of attack came out after this blog post was written. Either way, a security professional needs to weigh the risks here. FUD just gets in the way.
    665 pointsBadges:
  • Gisabun999
    Funny how they patched Acrobat/Reader 9 first. Probably the least used of the versions they intend on updating. Reader patch comes in at 16MB. Acrobat patches are in the 110MB range. Wow!
    10 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: