Adobe drops the ball, again...
Feb. 15th 2013
The recent zero-day attacks on adobe reader and acrobat have left many wondering, especially after the recent flash player exploit, is adobe capable of making a secure product? Fire eye, a private security firm, reported the malicious attack after observing it on multiple deployments of adobe: 9.5.3, 10.1.5, 11.0.1. This attack bypasses a built in sandbox, a program developed to contain and limit the privileges of the adobe program.
This is being bypassed with a .pdf that loads two .dlls onto the target computer. The first opens adobe reader and displays a false error message; the second opens the malicious .pdf file in the back ground. At this point, the remote user has access to remote control some processes on the computer. The company is working quickly to address this, but they are not sure when a fix is going to be finished.
However, the adobe representative note that they are still investigating the breach, and there is no official way to deal with it at the moment. Security experts warn not to open any unknown PDF files at this time (not that its EVER a good idea to open an unknown PDF). The part that shocked this author was the response to this hack even occuring:
This is being bypassed with a .pdf that loads two .dlls onto the target computer. The first opens adobe reader and displays a false error message; the second opens the malicious .pdf file in the back ground. At this point, the remote user has access to remote control some processes on the computer. The company is working quickly to address this, but they are not sure when a fix is going to be finished.
However, the adobe representative note that they are still investigating the breach, and there is no official way to deal with it at the moment. Security experts warn not to open any unknown PDF files at this time (not that its EVER a good idea to open an unknown PDF). The part that shocked this author was the response to this hack even occuring:
From: http://www.computerworld.com/s/article/9236751/Zero_day_PDF_exploit_affects_Adobe_Reader_11_and_earlier_versions_researchers_say?taxonomyId=17&pageNumber=2
Adobe late yesterday confirmed that two "critical" newly discovered flaws -- CVE-2013-0640, CVE-2013-0641 -- in Adobe Reader and Acrobat XI (11.0.01 and earlier), Acrobat X (10.1.5 and earlier), and Acrobat 9.5.3 and earlier for both Windows and Macintosh could let an attacker wrest control of the victim's machine after crashing the application. The attacks send users an email with a rigged PDF file, bypass the sandbox feature in Adobe Reader 10, and bypass the Protected Mode sandbox in Reader XI.
The software vendor is working on an emergency fix; in the meantime, it recommends that users enable the Protected View setting in Adobe Reader XI and Acrobat XI for Windows.
Sadly, as sophisticated as the exploit is, Adobe engineers could have prevented it from succeeding against default configurations of Reader XI had they enabled protected view. Instead, they chose to turn that feature off by default, so the only way users can avail themselves of its benefits is to delve deep into the application settings and manually enable it.
I can't help comparing the move to a car manufacturer that installs airbags in one of its models, but then requires customers to flip a switch before the bags actually inflate during a high-impact crash. Security mitigations are great, but only if they're easily used by the masses.
The fact that this is just normal everyday business for an exploit that allows remote control of a system is shocking and honestly, I'll be using foxit reader, sumatra reader, or another alternative since Adobe has been so slow in responding. Even now that they've responded to the hack with the following:
The software vendor is working on an emergency fix; in the meantime, it recommends that users enable the Protected View setting in Adobe Reader XI and Acrobat XI for Windows.
Telling users to use protected view is a good idea, however, the fact that it took this long for even a partial work around is shocking. Another article: Thanks, Adobe. Protection for critical zero-day exploit not on by default, details how irresponsible this is:
Sadly, as sophisticated as the exploit is, Adobe engineers could have prevented it from succeeding against default configurations of Reader XI had they enabled protected view. Instead, they chose to turn that feature off by default, so the only way users can avail themselves of its benefits is to delve deep into the application settings and manually enable it.
I can't help comparing the move to a car manufacturer that installs airbags in one of its models, but then requires customers to flip a switch before the bags actually inflate during a high-impact crash. Security mitigations are great, but only if they're easily used by the masses.
I especially enjoy that second quote, because essentially its true. Lets hope Ford doesn't do the same thing with its cars... and lets hope Adobe gives us a reason to have faith, because as is I'm just about out of it.
No comments:
Post a Comment