Update: Adobe’s original bulletin listed only Windows and Macintosh as vulnerable platforms. Linux was then added to the list. We’ve updated the article and images to reflect this. (Added 2013-02-15T01:21Z)
Update: Adobe’s bulletin now announces a patch “during the week of 18 February 2013.” Keep your eye out for when it arrives. (Added 2013-02-17T19:04Z)
You’ve probably seen the widely-covered news about an in-the-wild exploit against Adobe’s Reader and Acrobat software.
Even the new and improved security features in the latest version, Reader XI, aren’t enough to head this one off at the pass, at least by default.
(That’s not an indictment of the security technology Adobe introduced in Reader X and boosted further in XI. It’s just a reminder that the crooks don’t simply give up when you raise the bar.)
However, Adobe has now issued a formal bulletin offering you some advice and a possible workaround:
Adobe has identified critical vulnerabilities (CVE-2013-0640, CVE-2013-0641) in Adobe Reader and Acrobat XI (11.0.01 and earlier) for Windows and Macintosh, X (10.1.5 and earlier) for Windows and Macintosh, 9.5.3 and earlier for Windows and Macintosh, and Adobe Reader 9.5.3 for Linux. These vulnerabilities could cause the application to crash and potentially allow an attacker to take control of the affected system.
Adobe is aware of reports that these vulnerabilities are being exploited in the wild in targeted attacks designed to trick Windows users into clicking on a malicious PDF file delivered in an email message.
Adobe is in the process of working on a fix for these issues and will update this advisory when a date for the fix has been determined.
What you might see
If you do get attacked, it might not immediately be obvious.
One in-the-wild sample examined by SophosLabs used the tried-and-tested decoy document technique.
That’s where the exploit doesn’t just take over Reader and use it to inject malware onto your PC, but also reloads Reader with a clean PDF that looks safe and behaves innocently, largely because it is innocent:
The decoy document might not be something you are interested in (maybe you have no need for a visa to visit Turkey).
Nevertheless, it doesn’t look actively suspicious, merely unexpected.
What you can do
This vulnerability, says Adobe, affects Reader and Acrobat, on Windows and Macintosh, in versions 9, X (10) and XI (11).
Linux is affected, but only in version 9, because that’s the most recent Reader available on Linux.
There is a mitigation, but you’ll need to upgrade to XI if you’re not there already, and it’s for Windows only. It won’t work on your Mac or your Linux box.
→ If you do upgrade, don’t forget that Adobe’s installer is foistware, meaning that it tries to get you to install another product at the same time – in this case, Google Chrome and the Chrome toolbar. It’s optional, but sadly you have to opt out, not opt in. And you have to opt out before you start the installation: the installer itself is preconfigured when you download it.
What you do to defend yourself, says Adobe, is to turn on Protected View:
Sophos customers can also use the Application Control feature of Sophos Endpoint Security on Windows to inhibit the use of pre-XI versions of Reader on their network.
Combine this with Adobe’s Windows Policy advice to enforce Protected View wherever it’s supported, and you’ll reduce your attack surface area enormously, without throwing the baby out with the bathwater.
Bad luck Mac users
As you can see, however, Mac users don’t have a Protected Mode or Protected View option:
A simple short-term solution on OS X, if you have Reader installed and would like to keep it around, is simply to revert to the built-in Preview application as the default PDF viewer.
You can still load and use Reader when you want to, but you won’t launch it by mistake and find yourself applying for an unwanted Turkish visa.
(Right click on any PDF file. Choose Get Info. Then use the Open with: option to choose Preview as your default PDF handler, and click Change All to make the change global.)
On Linux, you’re stuck back at Reader 9, which doesn’t have the security mitigations that were introduced for Windows and Macintosh in Reader X and XI.
You might consider switching to a different PDF reader on Linux, at least temporarily, or at least making sure that Reader is not your default PDF handler so it doesn’t start up automatically every time you happen to click on a PDF file.
→ Sophos Anti-Virus on all platforms detects and blocks the malicious PDFs we know of so far as Troj/PDFJs-ADR.
If in doubt
Be cautious about the attachments you open in email.
Targeted attackers usually marry their attachments to your work or interests, so they don’t stand out as obviously as spams that promote cheap Viagra.
Nevertheless, even an attachment sent in a targeted attack is usually unsolicited or unexpected. If in doubt, leave it out!