Adobe Warns of Critical Zero Day Vulnerability

wiredmikey writes "Adobe issued an advisory today on a zero-day vulnerability (CVE-2011-2462) that has come under attack in the wild. According to Adobe, the issue is a U3D memory corruption vulnerability that can be exploited to cause a crash and permit an attacker to hijack a system. So far, there are reports the vulnerability is being exploited in limited, targeted attacks against Adobe Reader 9.x on Windows. However, the bug also affects Adobe Reader and Acrobat 9.4.6 and earlier 9.x versions for UNIX and Macintosh computers, as well as Adobe Reader X (10.1.1) and Acrobat X (10.1.1) and earlier 10.x versions on Windows and Mac. Patches for Windows and Mac users of Adobe Reader X and Acrobat X will come on the next quarterly update, scheduled for Jan. 10, 2012."

Listed mitigation: Adobe Reader X Protected Mode

Why on earth isn't "Adobe Reader X Protected Mode" the default?

Patched when?

[binaryhat]

Jan. 10, 2012? Why not immediately? Do Adobe coders suck that bad... Honestly I think when a major vulnerability is found, companies should fix it immediately or face penalties.

A lack of diversity...

[jenningsthecat]

...leads to increased vulnerability, whether in biology or in software.

Although there are alternatives to Adobe Reader, none of them is good enough to gain significant market share. And Adobe does everything it can to make competing with it more difficult. So a key piece of software used by a large majority of computer users is bloated beyond belief and so riddled with vulnerabilities that it seems there's a new every day. It sucks, but it's hardly surprising.

On the web, as in politics, we get what we deserve - or, in this case, we get what other web users deserve, because they vastly outnumber us.

Look at the credits for Adobe Reader.

If you're wondering "How can this happen?", all you need to do is look at the credits of Acrobat Reader. Notice that many of the names are quite clearly Indian. Then it all makes sense.

Re:Look at the credits for Adobe Reader.

Because anytime you single out a creed, religion, race, or other general status, anyone belonging to said group interprets it as a personal attack and employs all possible methods to censor the shit out of said perceived attacker. It's like a biological kill-switch.

Re:Look at the credits for Adobe Reader.

[EdIII]

You'd have to be nuts to want Reader unless you simply have no other choice.

Acrobat 10. Production environment. Multiple servers for remote desktop sessions. Have to have it. Receive secure documents all the time for markup and endorsements and Foxit can't even open it. Let's not even talk about 3rd party PDF support for electronic signatures from capture pads.

The NERVE of those fuckers to announce a zero-day exploit in the wild with an expected fix date in a quarterly update.

What the fuck are they smoking? It's the 6th of December you sadistic moronic fucktards. This is the dark side of vendor lock-in. Till that update I have to wonder about the thousands of PDF documents flowing through into the system and from emails. Believe me, there are some workers that will open anything in an email. So it is a real risk already.

Not that I don't normally, but there is a big difference between a possible threat and a known one.

It's just amazing for them to announce that with all the business customers they have. The unmitigated gall of those bastards.

Re:FYI: U3D = Universal 3D

[Mojo66]

Why do we need support for 3D files, embedded file attachments, JavaScript and all that crap in a file format that was originally intended to print documents? I'm glad that there are alternativs to Adobe Reader that just support the old idea of a printable document file format and nothing more, for example Preview on OS X, for other OS see this list. The crazy thing is that Adobe Reader is promoted by a lot of companies that use PDFs to send out bills electronically, i.e. to open the attachment, you need to download Acrobat Reader. Which is not only a wrong statement, but also a suggestion to install an application that has been plagued with security faults.

Re:Listed mitigation: Adobe Reader X Protected Mod

[capnkr]

"Blob" is very apt terminology, yet "(Unecessarily) Giant Blob" might be even more accurate. Not sure if these are exact numbers, but they are probably close. From Wikipedia, re: Sumatra PDF:

It has a 4.4 MB setup file, compared to Adobe Reader's 40.5 MB, for Windows 7. Installed size is 8.4 MB, whereas Adobe Reader requires 335 MB of available disk space.

Adobe PDF Reader - now with 10-40x the size of what's *really* needed! ***Bonus*** - Includes Critical 0 Day vulnerability, @ no extra charge!!!

What more could you ask for?

I *prefer* non-conforming

[Mathinker]

> you must distinguish the difference between conforming and non-conforming implementations of PDF before comparing

Your point is valid, however, how much of that ISO standard is, itself, "ooooh, shiny"-ness which is one of the reasons why Reader has so many more possible places of failure? Before discovering better alternatives for reading PDFs under Windows, the first thing I would do to Adobe Reader was to disable scripting support inside PDF documents.

In other words, I prefer the non-conforming, because that means that (there is a chance that) the implementers might actually be ignoring stupid things which Adobe pushed into the PDF standard which shouldn't be there.