Sophos Cloud Optix
Update: Adobe’s original bulletin listed only Windows and Macintosh as vulnerable platforms. Linux was then added to the list. We’ve updated the article and images to reflect this. (Added 2013-02-15T01:21Z)
Update: Adobe’s bulletin now announces a patch “during the week of 18 February 2013.” Keep your eye out for when it arrives. (Added 2013-02-17T19:04Z)
You’ve probably seen the widely-covered news about an in-the-wild exploit against Adobe’s Reader and Acrobat software.
Even the new and improved security features in the latest version, Reader XI, aren’t enough to head this one off at the pass, at least by default.
(That’s not an indictment of the security technology Adobe introduced in Reader X and boosted further in XI. It’s just a reminder that the crooks don’t simply give up when you raise the bar.)
However, Adobe has now issued a formal bulletin offering you some advice and a possible workaround:
Adobe has identified critical vulnerabilities (CVE-2013-0640, CVE-2013-0641) in Adobe Reader and Acrobat XI (11.0.01 and earlier) for Windows and Macintosh, X (10.1.5 and earlier) for Windows and Macintosh, 9.5.3 and earlier for Windows and Macintosh, and Adobe Reader 9.5.3 for Linux. These vulnerabilities could cause the application to crash and potentially allow an attacker to take control of the affected system.
Adobe is aware of reports that these vulnerabilities are being exploited in the wild in targeted attacks designed to trick Windows users into clicking on a malicious PDF file delivered in an email message.
Adobe is in the process of working on a fix for these issues and will update this advisory when a date for the fix has been determined.
What you might see
If you do get attacked, it might not immediately be obvious.
One in-the-wild sample examined by SophosLabs used the tried-and-tested decoy document technique.
That’s where the exploit doesn’t just take over Reader and use it to inject malware onto your PC, but also reloads Reader with a clean PDF that looks safe and behaves innocently, largely because it is innocent:
The decoy document might not be something you are interested in (maybe you have no need for a visa to visit Turkey).
Nevertheless, it doesn’t look actively suspicious, merely unexpected.
What you can do
This vulnerability, says Adobe, affects Reader and Acrobat, on Windows and Macintosh, in versions 9, X (10) and XI (11).
Linux is affected, but only in version 9, because that’s the most recent Reader available on Linux.
There is a mitigation, but you’ll need to upgrade to XI if you’re not there already, and it’s for Windows only. It won’t work on your Mac or your Linux box.
→ If you do upgrade, don’t forget that Adobe’s installer is foistware, meaning that it tries to get you to install another product at the same time – in this case, Google Chrome and the Chrome toolbar. It’s optional, but sadly you have to opt out, not opt in. And you have to opt out before you start the installation: the installer itself is preconfigured when you download it.
What you do to defend yourself, says Adobe, is to turn on Protected View:
Sophos customers can also use the Application Control feature of Sophos Endpoint Security on Windows to inhibit the use of pre-XI versions of Reader on their network.
Combine this with Adobe’s Windows Policy advice to enforce Protected View wherever it’s supported, and you’ll reduce your attack surface area enormously, without throwing the baby out with the bathwater.
Bad luck Mac users
As you can see, however, Mac users don’t have a Protected Mode or Protected View option:
A simple short-term solution on OS X, if you have Reader installed and would like to keep it around, is simply to revert to the built-in Preview application as the default PDF viewer.
You can still load and use Reader when you want to, but you won’t launch it by mistake and find yourself applying for an unwanted Turkish visa.
(Right click on any PDF file. Choose Get Info. Then use the Open with: option to choose Preview as your default PDF handler, and click Change All to make the change global.)
On Linux, you’re stuck back at Reader 9, which doesn’t have the security mitigations that were introduced for Windows and Macintosh in Reader X and XI.
You might consider switching to a different PDF reader on Linux, at least temporarily, or at least making sure that Reader is not your default PDF handler so it doesn’t start up automatically every time you happen to click on a PDF file.
→ Sophos Anti-Virus on all platforms detects and blocks the malicious PDFs we know of so far as Troj/PDFJs-ADR.
If in doubt
Be cautious about the attachments you open in email.
Targeted attackers usually marry their attachments to your work or interests, so they don’t stand out as obviously as spams that promote cheap Viagra.
Nevertheless, even an attachment sent in a targeted attack is usually unsolicited or unexpected. If in doubt, leave it out!
Is Adobe Reader for Linux affected?
Hi Patrick,
Yes, Linux is affected by this issue. Adobe updated their advisory today to mention this. Here is the link (also provided above by Paul):
http://www.adobe.com/support/security/advisories/…
If you are using Adobe Reader/Acrobat 11 (XI) you can use the suggested Protected View mitigation. If not, I would suggest using another PDF reader until this issue is patched.
I hope this helps. Thank you.
When I first wrote this article, Linux wasn't on the list.
But Adobe has (as Jimbo says), added Linux to the list, but only Reader 9 is affected. Sadly, that's the latest version available for Linux…so no mitigation for you, I'm afraid.
Maybe take Jimbo's advice and try a different reader, or at least make sure that Reader isn't the one that opens PDFs by default. (How to check and adjust that setting depends on your distro, window manager and add-ons – one of the joys of the Linux ecosystem being that you have so many ways to get things wrong.)
Thanks, Jimbo. I'll update the article.
Why is it a short-term solution to use Preview as the default pdf reader on a Mac? I always use it. I've never needed to install Acrobat Reader as well.
There are some user features in the Acrobat universe that are designed to work with Reader, but don't necessarily work the same way with other PDF readers, including certain security features. Adobe warns Acrobat Pro users of that condition via screen prompts that display when such features are enabled.
However, If all you ever do with PDFs is read them, and they're not PDFs that use certain special features, then Preview should work fine, and there's no reason to use Adobe's Reader app.
Good point – I will update the text in the article to clarify. I meant that if you have Reader installed and would like to keep it, you can protect yourself a fair bit simply by ensuring it's not the default PDF handler.
If you don't have Reader at all, or are willing to uninstall it for security's sake, then you are right. Reverting to Preview isn't a short-term fix. It's a long-term one.
I tend to install Reader when I particularly need it (for example to take the screenshot for this article :-), but to remove it afterwards, since Preview does almost all I want.
The only feature I very occasionally need to use need that Reader does well, but that Preview doesn't do at all, is to access attachments in encrypted PDFs.
Preview will open an encrypted document just fine, but if there's an attachment in there, it won't extract it. In many ways that is a security feature, I suppose…but once in a blue moon I need to do it.
Ahh, the Adobe Acrobat Preferences dialog … That means netbook users are out in the cold too (do a screen cap and then see how many pixels tall it is – you know its more than 600!)
A netbook running Reader XI. Seems like you'll need a memory expansion pack – watch out for the dreaded RAM Pack Wobble 🙂
I don't know about Windows, but under Linux you can use 'xrandr' to do sofware desktop scaling (e.g. scaling by x=1.33 and y=1.28, or perhaps I mean the reciprocals, you squash 1366×768 into 1024×600).
It all ends up a bit fuzzy, and you'll probably get a bit of an eyeache after a while, but it works surprisingly well, and is surprisingly efficient. I keep it up my sleeve for when there's a dialog I simply have to use and which simply will not fit on the regular screen.
Plus, like bashing your head against the wall, "it's so good when you stop" 🙂
Are Mac users who have Sophos installed protected? If not, how can you tell whether you have been infected or not?
Good question! Apologies for not covering it in the first place.
I've updated the article to clarify: Sophos Anti-Virus on all platforms detects and blocks the malicious PDFs we know of so far as Troj/PDFJs-ADR.
I installed Adobe XI this morning, found at the same time that McAfee Security Plan Plus was installed as well…….Was it supposed to?
I always use it`s free Site Advisor.
I ran through the install in a fresh Virtual Machine to be able to grab the screenshot above (that way I know I have a clean install and the real-world defaults).
It tried to shovel Google Chrome and the Chrome Toolbar on me – doubling my download size, if not my attack surface area, at a stroke.
I didn't see any McAfee stuff. Maybe it worked out I'm a Sophos employee and decided that would be just trying *too* hard. Presumably Adobe thinks I'll be happier being talked into a third browser that I don't need added to the IE and Firefox I've already got, rather than a second anti-virus I don't want 🙂
Oracle does this foistiness with Java; Adobe does it with Reader…guys! Please! Enough already! At least make it opt in – if the offer really *is* as good as you claim I'll be clamouring to accept it.
If the Big Guns are actively endorsing the concept of foistware, how will we ever persuade the fringe players to behave in a more straightforward fashion?
It did what Duck warned about and foisted you with unwanted stuff. You need to watch out for the dialog that lets you start the install as that has at least one tick-box, checked (ticked) by default, that causes the installation of the foistware. It's often McAfee but could be Google Chrome and/or Google Toolbar (which you don't need anyway).
Always look for any little boxes that are already checked/ticked and remove the marker to avoid the unwanted foistware.
I’m running Windows Vista and my adobe security (enhanced) looks like the mac version. I don’t have protected mode either. Should I reinstall??
My reader version is 10.1.5
If you're OK with the idea, you might just want to remove version X (10) and install XI (11) in its place. It's still vulnerable but it has the more detailed security protections that would be handy in this case.
I went to the Adobe Reader XI homepage, but when I clicked download it said I was going to download ver. 10.1.4, while mine is currently 10.1.5? I’m running Windows Vista if that has anything to do with it.
Do other PDF readers like evince offer protection against these vulnerabilities?
It would be nice if someone could answer Malcolm's question. I use FoxIt reader, is it the same with that reader/other readers?
Oops. Sorry, meant to do it earlier.
As far as I know, these vulnerabilities, and the in-the-wild attacks that have exploited them, are not a "PDF thing", but an "Adobe Reader/Acrobat" thing.
So you may assume that PDF viewers not derived from Adobe's code (e.g. Evince, Foxit, xpdf, anything based on libpoppler, the pdf.js viewer built into Firefox) are not vulnerable.
Don't let that tempt you into being more casual with the PDFs you choose to open, though.
Oh…and don't be smug, OK 🙂
Hi everyone,
Adobe has stated that a patch for these flaws will be available some time next week.
Here is the blog post announcing this and a link to the advisory (now updated):
http://blogs.adobe.com/psirt/2013/02/schedule-update-to-security-advisory-for-adobe-reader-and-acrobat-apsa13-02.html
http://www.adobe.com/support/security/advisories/apsa13-02.html
Thanks.