Adobe Updates Critical 3D Bug in Adobe Reader, Acrobat

As promised, Adobe Systems released a patch addressing zero-day vulnerabilities in Adobe Reader and Acrobat 9.4.6. The company had announced the vulnerabilities affecting Adobe Reader and Acrobat 9.x and X on multiple platforms on Dec. 6 and promised a fix within the week.

Windows users are the only ones receiving the Adobe Acrobat and Reader 9.4.7 for Windows update, Adobe said in a security bulletin released Dec. 16. The patch for Adobe Reader and Acrobat X and for 9.x on Macintosh and Unix will be delivered as part of the next scheduled quarterly update for Reader and Acrobat on Jan. 10, 2012. Adobe delayed patches for these versions because the sandbox technology in X prevents the malicious code from executing, as the threat was considered minimal on the Unix and Mac OS X platforms.

Releasing the fix for 9.x for Windows also made it possible for the team to push out a patch faster than if it had to develop and test a patch for multiple versions and platforms, according to a Dec. 6 post on the Adobe Secure Software Engineering Team blog by Brad Arkin, senior director product security and privacy at Adobe.

"Adobe Reader 9 users—time to patch. Or better yet, update to Adobe Reader X. Or to some other PDF Reader," Mikko Hypponen, chief research officer at F-Secure, posted on Twitter.

One of the vulnerabilities was reported by Lockheed Martin's Computer Incident Response Team and various members of the Defense Security Information Exchange. Symantec researchers and Brand Dixon, an independent researcher, uncovered malicious PDF files attached to emails sent to targeted companies in the telecommunications, manufacturing, chemical and defense industries. Once the PDF files were opened, the malicious code executed and could "cause a crash and potentially allow an attacker to take control of the affected system," Adobe said in the initial advisory.

Attackers used "social engineering to trick users into opening the file," Joshua Talbot, security intelligence manager of Symantec Security Response, told eWEEK. The precise exploit used was known as Sykipot, which gathers data on the compromised machines and forwards it to a remote server.

Adobe had uncovered a second zero-day vulnerability that was being exploited in the wild that could also cause a crash and give attackers control of the system. The initial issue was a memory corruption vulnerability in the U3D component, a technology that allows Reader and Acrobat to work with 3D objects. The second issue was a memory corruption vulnerability in the PRC component, the company's proprietary format that retains accurate geometry and topology and puts 3D data inside a PDF, according to the security bulletin released by Adobe.

"The Adobe Reader and Acrobat team was able to provide a fix for this new issue as part of today's update," Adobe said. The company is "only aware of one instance" of the second vulnerability being exploited.

The company also released a patch addressing vulnerabilities in its ColdFusion Web application development platform earlier this week. If left unpatched, attackers could exploit the vulnerabilities to launch a cross-site scripting attack in ColdFusion Remote Development Services and in custom tags used to develop dynamic forms, according to Adobe.