Adobe's first update since the Big Breach - RoboHelp, Acrobat and Reader get patches

Filed Under: Adobe, Featured, Vulnerability

Adobe's Patch Tuesday fixes are out.

This is business as usual, promised long in advance and expected toay, so there isn't anything in it related to the company's recent network intrusion woes. (We hope!)

There's a RoboHelp update, discussed in APSB13-24, and fixes for Version XI of Acrobat and Reader, discussed in APSB13-25.

The RoboHelp bug allows potential RCE, or Remote Code Execution, so you definitely want the APSB13-24 patch if you're a RoboHelp user.

The Reader XI and Acrobat XI vulnerability is a little different, and it's just the sort of bug that Adobe could have done without right now, because it's what is known as a regression.

If you're on Reader X or Acrobat X, you're not affected and can stand down from high alert. For now, anyway.

In programming, a regression is when you make new changes that inadvertently counteract various previous changes and, hey presto, a bug that you thought you'd got rid of returns.

If you like, a regression is a sort of anti-patch, where you repeat a mistake you fixed already.

Adobe isn't giving a lot of detail away, but does say:

This update resolves a regression that permitted the launch of javacript scheme URIs when viewing a PDF in a browser (CVE-2013-5325).

The scheme in a URI is the part at the beginning, like http://, or mailto:, that tells your browser how to get to the resource you've just specified.

Until fairly recently, most browsers allowed you to go the address bar and run JavaScript directly, by prefixing it with the scheme identifier javascript:, for example like this:

The hazards quickly became obvious once scammers starting luring you into "pasting the following web address into the address bar," but including a JavaScript-based URL, not one that used HTTP.

→ There are hundreds of different legal URL schemes, from aaa: (a protocol to do with login, dealing with authentication, authorisation and accounting) to z39.50: (a search and indexing protocol that was made pointless by the web).

JavaScript-based URLs are now considered harmful in your browser's address bar, and so browsers simply ignore them.

So will your Adobe PDF plugin, once you've updated.

Should you patch Reader and Acrobat?

And that raises an interesting question: should you apply this patch?

After all, some of you might be feeling a bit cagey about accepting Adobe's patches right now.

The company just admitted that hackers were able to break in and exfiltrate 40GB of product source code from the corporate network, almost certainly including Acrobat.

What if the crooks were also able to make commits? (That's where you save back changes so they can be compiled into the next build.)

If they did so, and their changes weren't spotted, malicious modifications could now be part of an official release.

My own opinion is that this is highly unlikely, not least because modern software engineering tools make it comparatively easy to track the changes to the source code files in a product between builds.

Also, remember that this patch deals with fixing a regression - "repatching" a previous patch - rather than with a shepherding in a huge raft of changes throughout the product.

So it's reasonable to assume that if Adobe's recent unauthorised visitors really had made any malware-related modifications, they'd surely have been spotted before release.

In short, if I were an Acrobat or Reader user, I'd take the update.

Of course, as an OS X user my PDF needs are met without having Reader or Acrobat installed, so it's easy for me to say that - a botched release wouldn't affect me directly.

, , , , , ,

You might like

10 Responses to Adobe's first update since the Big Breach - RoboHelp, Acrobat and Reader get patches

  1. Polly · 731 days ago

    This is a pretty convoluted article. I do not know if you say yes to running the patch or no. So it isn't very helpful for doing anything but making me worried, since I have XI already. Sorry, I usually appreciate the articles, but this one, not so much.

    • Paul Ducklin · 731 days ago

      I apologise if you're worried now. I tried to make it as clear as I could given that no-one (not even Adobe) seems to know how much to trust Adobe's software builds right now.

      To summarise what I said above:

      * Some people are worried about applying Adobe patches right now - what if there is code snuck in there by the crooks?

      * But the patch for Reader and Acrobat doesn't seem to involve a huge amount of change, so Adobe (we hope) would have been able to review the changes thoroughly and should have seen any unauthorised modifications.

      * So I think it is reasonable to assume the patches are safe.

      * But I don't use Reader or Acrobat since I have OS X, and that has the PDF functionality I require built in, so it's easy for me to say that :-)

      And now, I'm afraid, *you have to make your own mind up*. I can advise you, but I can't be certain.

      If you're worried, why not drop back to version X? Or use a different PDF reader/maker? (You don't say which product you have. If Reader, then there are a lot of alternatives to Adobe's offering. So trying something else is not such a wild idea.)

      PS. I have added a sentence at the end to say that I'd take the update if I were an Adobe user. Hope that makes things clearer.

  2. I don't need reader or acrobat. I got another program that can open that kind of stuff. That said I wish they would fix their flash so that we have less problems with it.

    • daniellynet · 730 days ago

      I wish we could abandon flash and move to better alternatives.

      • Paul Ducklin · 730 days ago

        If you use it mainly for watching videos or listening to podcasts, HTML5-based browsers (all of them these days?) can pretty much spare the need for Flash.

        • daniellynet · 729 days ago

          Mind elaborating on how?

          I thought you were forced to use Flash for a lot of Youtube's videos (I enabled HTML5, but not every video supports it yet).

          • Paul Ducklin · 729 days ago

            Well, I said "pretty much"...maybe just stick to watching videos that are transcoded for HTML5 players?

            Like, ahhhhh, Sophos 60 Second Security, every Saturday - the latest security news with a twist of humour and a tolerably small sprig of cynicism. I've heard it's excellent :-)

            You could always install Flash and only turn it on when you really need it. (That's what I do, when I want to check that the Flash version of 60 Sec Security plays correctly. Then I turn it off again. Not quite the same as disavowing it altogether, but it works for me.)

            • daniellynet · 729 days ago

              Guess that would be the best way to go right now.

  3. Nigel · 730 days ago

    Thanks for a lucid and informative article (as usual). I appreciated the explanation about URI schemes. I also appreciate knowing that Reader X and Acrobat X aren't affected.

    I too use Preview for most everyday PDF functions, but I occasionally author encrypted, user-fillable forms in Acrobat Pro X. It has never been clear to me what was the advantage in going to Acrobat Pro XI. Now it's clear that there was at least one disadvantage. ;-)

  4. Larry Marks · 730 days ago

    Paul wrote: Until fairly recently, most browsers allowed you to go the address bar and run JavaScript directly, by prefixing it with the scheme identifier javascript:, for example like this: javascript:alert('Popup')

    Uhhh, this still works on MSIE8, the latest version offered for Windows XP (which is still in support.)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog