Adobe took 10 days, but it managed to deliver a fix to the critical vulnerability in Adobe Reader and Acrobat that attackers exploited against defense contractors.
promised, Adobe Systems released a patch addressing zero-day vulnerabilities in
Adobe Reader and Acrobat 9.4.6. The company had announced the vulnerabilities
affecting Adobe Reader and Acrobat
9.x and X on multiple platforms on Dec.
6 and promised a fix within the week.
users are the only ones receiving the Adobe Acrobat and Reader 9.4.7 for
Windows update, Adobe
said in a security bulletin
released Dec. 16. The patch for Adobe Reader
and Acrobat X and for 9.x on Macintosh and Unix will be delivered as part of
the next scheduled quarterly update for Reader and Acrobat on Jan. 10, 2012.
Adobe delayed patches for these versions because the sandbox technology in X
prevents the malicious code from executing, as the threat was considered
minimal on the Unix and Mac OS X platforms.
the fix for 9.x for Windows also made it possible for the team to push out a
patch faster than if it had to develop and test a patch for multiple versions
and platforms, according to a Dec. 6 post on the Adobe Secure Software
Engineering Team blog by Brad Arkin, senior director product security and
privacy at Adobe.
Reader 9 users-
time to patch. Or
better yet, update to Adobe Reader X. Or to some other PDF Reader," Mikko
Hypponen, chief research officer at F-Secure, posted on Twitter.
of the vulnerabilities was reported by Lockheed Martin's Computer Incident
Response Team and various members of the Defense Security Information Exchange.
Symantec researchers and Brand Dixon, an independent researcher, uncovered
malicious PDF files attached to emails
sent to targeted companies
in the telecommunications, manufacturing,
chemical and defense industries. Once the PDF files were opened, the malicious
code executed and could "cause a crash and potentially allow an attacker
to take control of the affected system," Adobe said in the initial
used "social engineering to trick users into opening the file,"
Joshua Talbot, security intelligence manager of Symantec Security Response,
. The precise exploit used
was known as Sykipot, which gathers data on the compromised machines and
forwards it to a remote server.
had uncovered a second zero-day vulnerability that was being exploited in the
wild that could also cause a crash and give attackers control of the system.
The initial issue was a memory corruption vulnerability in the U3D component, a
technology that allows Reader and Acrobat to work with 3D objects. The second
issue was a memory corruption vulnerability in the PRC component, the company's
proprietary format that retains accurate geometry and topology and puts 3D data
inside a PDF, according to the security bulletin released by Adobe.
Adobe Reader and Acrobat team was able to provide a fix for this new issue as
part of today's update," Adobe said. The company is "only aware of
one instance" of the second vulnerability being exploited.
company also released a patch addressing vulnerabilities in its ColdFusion Web
application development platform earlier this week. If left unpatched,
attackers could exploit the vulnerabilities to launch a cross-site scripting
attack in ColdFusion Remote Development Services and in custom tags used to
develop dynamic forms, according to Adobe.