Adobe and Foxit plug critical PDF vulnerabilities

From the security desk of Wiz Feinberg
March 11, 2009

On March 9 and 11, Foxit then Adobe released patched, updated versions of their PDF readers, responding to critical vulnerabilities, like the JBIG exploit, currently being exploited in the wild. Until the Foxit patch was announced on the 9th, many people believed that it was a safe alternative to the Adobe Reader. Not so. The Adobe exploits are targeting all Reader and Acrobat versions 7, through 9.0.

Foxit has patched three critical vulnerabilities with version 3.0 Build 1506. You can download the latest patched Foxit PDF Reader here. Interestingly, Foxit was only notified about these exploitable vulnerabilities a few weeks ago, in mid-February and were able to push out a patch in a short time.

Adobe, on the other hand, has been aware of the vulnerabilities in it's PDF Reader and Acrobat PDF encoder for three months (since early January 2009) and just today released the patch. When these security concerns were publicized Adobe recommended disabling JavaScript and browser plug-in functions in the Adobe Reader and in Acrobat. However, it was later demonstrated in a lab test at Secunia that Reader and Acrobat are still exploitable with these functions disabled. The patched versions released on March 11 finally plugs the holes that allow these exploits to occur. JavaScript and displaying a pdf in your browser can now be re-enabled, after you upgrade to Adobe Reader and Acrobat 9.1. Older Readers version 7 and 8 x will be patched on March 18, 2009.

You can download the current version of Adobe Reader here. This Adobe page has links to patch your version of Adobe Acrobat.

Adobe has published a security bulletin about the vulnerabilities affecting its Reader and Acrobat software, with the dates the vulnerabilities were announced and the release dates for the patches. This page goes far back and shows how they have responded to exploitable weaknesses for years.

If you missed the news, Adobe also released a patched version of Adobe Flash Player, on February 24, 2009. Adobe recommends all users of Adobe Flash Player 10.0.12.36 and earlier versions upgrade to the newest version 10.0.22.87 by downloading it from the Player Download Center, or by using the auto-update mechanism within the product when prompted.

The risk of browsing the Internet or opening emails containing links to or attachments containing rigged Flash and PDF files, without being fully patched against the exploit codes, is total system compromise. There have been malicious Flash banner ads released through some affiliate ad services that are capable of redirecting your browser to a hostile web server, where it will attempt to forceably and invisibly download exploit codes to your computer, if you have installed a vulnerable version of Flash Player, or Adobe (PDF) Reader or Acrobat.

You can scan your PCs online at Secunia.com, using their Online Software Inspector tool. It requires Java to operate and will report on any missing Windows patches, as well as any left over insecure versions of third party applications, like Flash, Reader and Java. It provides direct download links to obtain the latest patched versions, plus shows you the exact path to the old, exploitable versions still installed on your PC. I use it and recommend you do so every week, say on Tuesday evenings (after Windows Updates are released on Patch Tuesdays). It usually takes under a minute to complete the online scans. You must uninstall old software and install the updates yourself.

Trend Micro Internet Security products,

for home and office users, use in-the-cloud malware definitions that are updated every day, all day, as soon as new or altered strains of viruses and other malware are detected in the wild and analyzed. By offloading the bulk of these ever changing virus definitions to cloud servers, the load on your computers is greatly reduced. All users of Trend security programs are instantly protected from hostile web pages laden with malware exploits and hostile email, by the Trend Micro Smart Protection Network.