Adobe, make my day. Disable JavaScript by default

"Sophos principal virus researcher Vanja Svajcer guest blogs about the latest security updates from Adobe. Over to you Vanja…"

Vanja Svajcer
Users around the world will be pleased to learn that Adobe has managed to release an accelerated security update for Adobe Reader and Acrobat (APSB10-15) before the planned release date (13th July). The latest version of Adobe Acrobat and Reader for Windows is now 9.3.3.

The security update includes fixes for 17 vulnerabilities, which means that the guys from Adobe PSIRT have been working very hard in the last month or so.

From the malware protection point of view the most important vulnerability patched with the latest update is CVE-2010-1297 which has been actively exploited since its discovery on June 5th.

Although the vulnerability affected Adobe Flash, the main vehicle for delivering malicious payloads were PDF files. A booby-trapped PDF file would contain a Flash animation which would trigger the vulnerability, JavaScript code which would be used to create memory layout to allow the exploit to successfully launch shellcode and ultimately, an encrypted executable payload which would deliver the final functionality. This exploit is more complex than the usual exploits we have become used to in the last few years and it may mark a new trend in the direction of writing exploits and shellcode.

Adobe logo
The common thread in most, if not all, Adobe exploits is the requirement for JavaScript as exploits will work correctly only if JavaScript is enabled. This is why we recommend all users disable JavaScript in Adobe Acrobat and Reader.

You can read more about this vulnerability and the known exploits in our vulnerability analysis.

The second interesting fix, from the malware protection perspective, addresses the issue discovered by Didier Stevens. The issue, which I deliberately won’t call a vulnerability, is due to the specifics of the PDF /Launch action implementation in Adobe’s code. The /Launch action allows a malicious user to embed and launch an executable file when the user opens a PDF document. This /Launch functionality is now disabled by default in Adobe Reader.

Though it is obvious that Adobe is doing more to address vulnerabilities found in their product – the high number of patched vulnerabilities indicates that it may be a good time for Adobe to go through a security push to overhaul the approach to building in security to their products.

Microsoft already went through a similar exercise and the result show as the vulnerabilities are getting more difficult to discover and exploit.

If nothing else, JavaScript should be disabled by default in Adobe Reader.

Go on Adobe, make my day.