Slashdot Mirror
Adobe Warns of Critical Zero Day Vulnerability
wiredmikey writes "Adobe issued an advisory today on a zero-day vulnerability (CVE-2011-2462) that has come under attack in the wild. According to Adobe, the issue is a U3D memory corruption vulnerability that can be exploited to cause a crash and permit an attacker to hijack a system. So far, there are reports the vulnerability is being exploited in limited, targeted attacks against Adobe Reader 9.x on Windows. However, the bug also affects Adobe Reader and Acrobat 9.4.6 and earlier 9.x versions for UNIX and Macintosh computers, as well as Adobe Reader X (10.1.1) and Acrobat X (10.1.1) and earlier 10.x versions on Windows and Mac. Patches for Windows and Mac users of Adobe Reader X and Acrobat X will come on the next quarterly update, scheduled for Jan. 10, 2012."
According to the Wikipedia article on Universal 3D:
The format is natively supported by the PDF format and 3D objects in U3D format can be inserted into PDF documents and interactively visualized by Acrobat Reader (since version 7).
and
There are four editions to date.
The first edition is supported by many/all of the various applications mentioned below. It is capable of storing vertex based geometry, color, textures, lighting, bones, and transform based animation.
The second and third editions correct some errata in the first edition, and the third edition also adds the concept of vendor specified blocks. One such block widely deployed is the RHAdobeMesh block, which provides a more compressed alternative to the mesh blocks defined in the first edition. Deep Exploration and PDF3D-SDK can author this data, and Adobe Acrobat and Reader 8.1 can read this data.
The fourth edition provides definitions for higher order primitives - curved surfaces.
I'm guessing it's the vendor specified blocks from the 3rd edition that are causing the problem.
If you follow the "exploited to cause a crash ..." link in the initial Slashdot item, you will see that a fix to Acrobat Reader 9 will be available by this coming Monday. You will also see that, unless you disable Protected View in Acrobat Reader 10, you are not vulnerable and thus can wait a month.
I recall the Adobe loading screens on older Acrobat versions. One time while waiting for Acrobat to load its bloated carcass into memory I actually paid attention to the loading messages and noticed "movie.api" among others being loaded. That was the nail in the coffin.
While switching to non-Adobe PDF software may not be in the power of everyone, you can blacklist the Adobe PDF plugin from running in your web-browser. Apart from improving your internet experience it may also help prevent some drive-by PDF exploits.
Why is the parent modded flamebait? S/he's telling the truth. We just discussed this very issue: Does Outsourcing Programming Really Save Money?.
Somebody please mod the parent up. Sometimes the truth isn't pretty, but it's still the truth. I don't care if feelings get hurt by it. It's still the truth.
That is not actually true. Adobe Reader is a "conforming implementation" of the ISO 32000 PDF specification. As such, it must support features that your 8.4 MB reader cannot possibly see (such as the ability to pull from CRL's when encountering a digital signature). I used to work for Adobe and I am not here to defend them but in all fairness, you must distinguish the difference between conforming and non-conforming implementations of PDF before comparing.
Duane
Don't forget the shell extension in windows, that enables those zero-day vulns to take effect by just hovering over the file! And unlike the updater and preloader, you can't turn this off without manually meddling with the registry.