Reader Zero Day Patch on Way

Monday, December 19, 2011 @ 02:12 PM gHale


Adobe will release a patch this coming Friday for an older version of the Reader PDF viewer to stymie attacks like those aimed at major defense contractors earlier this month.

Nine days ago, the company confirmed a critical bug in Reader and promised to fix the flaw in Reader and Acrobat 9.x this week.

RELATED STORIES
Adobe Patches ColdFusion; Working on Others
Targeted Emails Use Security Vendor’s Name
Attackers Hijacking Solid Domains
Control Systems on Alert
Adobe Woes Bring Malware Offerings

The exploits uncovered by security researchers focused on Reader 9.x using malformed PDF documents attached to bogus emails.

A day after Adobe acknowledged the vulnerability, researchers at Symantec confirmed that attacks had targeted defense contractors, as well as individuals working in the telecommunications, manufacturing, computer hardware and chemical sectors. The attacks spiked Dec. 1, Symantec said.

The attackers may have been hoping to steal confidential information from the targeted firms.

If opened by the recipient, the malicious PDF hijacked the Windows PC, then infected those machines with “Sykipot,” a general-purpose backdoor Trojan first spotted in March 2010 as the payload in attacks exploiting a then-unpatched bug in Microsoft’s IE6 and IE7.

“The tool used to create this [malicious PDF] document has little modularity or sophistication…. For this reason alone I have a hard time believing this attack was created by a nation-state government,” said independent security researcher Brandon Dixon. “Instead, I think this was done by a small group of people whose motivation would be to support their government and send data back to them. This sort of behavior fits the Chinese hacker model and gives a bit more value to the Chinese traits identified within the document and dropper.”

Adobe today again told users — as it did last week — that it will not deliver patches for Reader and Acrobat 10 on Windows, or for any version of those applications on Mac OS X and Unix, until Jan. 10, 2012.

It has justified the delay by pointing out that Reader 10 includes an anti-exploit “sandbox” which blocks the in-circulation exploit, and that it has seen no sign of attacks targeting Mac or Linux machines.



Leave a Reply

You must be logged in to post a comment.