Security flaw puts Adobe Acrobat and Reader users at risk

By Danny Palmer
14 Feb 2013 View Comments
Concept image representing virus malware

Adobe has been forced to investigate reports of a zero-day security flaw in its Reader and Acrobat software that leaves users vulnerable to cyber-attacks. 

The exploit was discovered by researchers at network security firm FireEye, who suggest users avoid opening any PDF attachments from an unknown source until the loophole is fixed.

Further reading

"We have already submitted [an infected PDF] sample to the Adobe security team. Before we get confirmation from Adobe and a mitigation plan is available, we suggest that you not open any unknown PDF files," said a blog post by FireEye.

An Adobe security bulletin said the firm is aware of the exploit being used in the wild, with users being tricked into opening malicious PDF files attached to an email. The flaw exploits the default security settings of the document reader, which Abode suggests can be countered by switching the software to "protected view".

Users who use the default settings of Adobe Acrobat and Reader software will continue to be potentially at risk from malware.

The reported exploit marks the first known malware to breach Adobe's security sandbox in over two years.

Ross Barrett, senior manager of security engineering for vulnerability management and penetration testing company Rapid 7, praised Adobe's response to the reported breach, but warned that more vulnerabilities will be found in the future.

"To their credit, Adobe has responded promptly to the report and they have recently been very agile in getting fixes out quickly when something like this comes to light. They are at least one step ahead of, say, Java, in their security model and practice, but Adobe Reader, and the PDF standard, are extremely flexible (and therefore complex) pieces of technology - this won't be the last flaw found," he said.

In contrast to the positive response to Abode's response to the threat, security experts have criticised Oracle's slow reaction to flaws in Java, which has been described as "a mess".

 

Reader comments
blog comments powered by Disqus
Newsletters
Is it time to open Windows?

Computing believes that Microsoft will start offering Windows free of charge by 2017. Is this a good thing for the enterprise?

55 %
19 %
6 %
15 %
5 %