Adobe Reader, Acrobat Patch Set to Come out This Week

With new exploits circulating, Adobe is still on schedule to release a patch Wednesday for a well-publicized zero-day vulnerability affecting Adobe Acrobat and Reader.

The patch will be for version 9 of Acrobat and Reader; patches for 7 and 8 of both products will be coming March 18. Users should move quickly to deploy the fix, which comes on the heels of security blogger Didier Stevens’ discovery of an exploit that works without tricking the user into opening a malicious file. The exploit works by leveraging the Windows Explorer Shell Extension in Adobe Reader.

Stevens posted a proof-of-concept for his creation online.

“Under the right circumstances, a Windows Explorer Shell Extension will read the PDF document to provide extra information, and in doing so, it will execute the buggy code and trigger the vulnerability,” he blogged. “Just like it would when you would explicitly open the document.”

Stevens’ code is just the latest example of exploits targeting the bug, which researchers believe has been under attack for since at least January. The vulnerability itself is due to an array indexing error in the processing of JBIG2 streams, and can be exploited with a specially crafted PDF file to corrupt arbitrary memory and allow an attacker to take control of a compromised system.

The existence of the vulnerability did not become widely known until February, however, when researchers at the Shadowserver Foundation posted about it on a blog. Though initial reports indicated disabling JavaScript would solve the issue, it in fact only addressed certain exploits and did not address the underlying vulnerability. In the aftermath, security pros offered a variety of advice on mitigation, some of which is listed here.

Though Adobe has taken some flack for its handling of the situation, officials at the company recently defended their actions.

“We take security, including this specific issue, very seriously and are committed to protecting users of our products and technologies,” a spokesperson at Adobe told eWEEK. “We can confirm that the vulnerability affects all platforms for Adobe Reader and Acrobat, as mentioned in our Security Advisory, and that we have listed the vulnerability with a critical rating on all platforms for the products.”