Critical no-click Adobe vulnerability fixed, for some
What a great world we'd live in if legitimate businesses were as eager to save us trouble as toil as the malware guys are, right? A critical zero-day flaw in Adobe Reader and Acrobat can be used to attack a Windows machine without even opening the infected file -- the height of convenience indeed.
A buffer-overflow flaw is news to nobody familiar with Windows, but the service targeted, the Windows Indexing Service, may not be familiar to all. That service provides an index of files on the system -- it's how you can see the title and author and so forth for a PDF document in Windows Explorer, or how you view thumbnails if that's your Explorer preference.
The "/JBIG2Decode" exploit involves using a malformed version of that stream object, which Windows attempts to read as it does for all PDF files. Didier Stevens, a European security researcher, released video of a proof-of-concept attack last week that demonstrates the problem as seen through the OllyDbg debugger.
Yes, Adobe knows, warning the populace on February 19 and releasing the first patch, for Adobe 9 (Reader and Acrobat) users, today, numbered 9.1. Patches for those still using versions 7 and 8 of Reader and Acrobat, as well as a 9.1 version for Unix, should be available within a week.
Meanwhile, Adobe notes, various anti-malware packages are ready to defend you, and one can gain a partial measure of safety by disabling JavaScript. In fact, notes Qualys' Wolfgang Kandek, that's not a bad idea in general.
"Given that JavaScript in Adobe Acrobat has its own share of vulnerabilities in the past, it seems reasonable to turn it off by default," the CTO notes. "I have now been running without JavaScript in my Adobe Reader for months and I have not noticed any adverse effects in my typical office-oriented usage. In my opinion this is now becoming a best-practice security setting, [one] that should only be relaxed based on end-user needs."