Experts from vulnerability research firm Secunia warn that disabling JavaScript in Adobe Reader and Acrobat products does not efficiently protect against the recently-disclosed 0-day remote code execution vulnerability affecting them. Until Adobe will address the problem, another security researcher has created an unofficial patch.
Several security vendors and independent researchers have recently
warned that an unpatched vulnerability in Adobe Reader and Acrobat, which allows for arbitrary code execution and denial of service, is being actively exploited in the wild through maliciously-crafted PDF files. Adobe has acknowledged the flaw, which it has classified as critical, but has noted that a security fix will not be deployed until March.
An
analysis released by the ShadowServer cyber-crime fighting outfit has concluded that disabling JavaScript in Adobe Reader and Acrobat is a temporary mitigation solution, which will prevent the code execution issue. "The malicious PDF's in the wild exploit a vulnerability in a non-JavaScript function call. However, they do use some JavaScript to implement a heap spray for successful code execution. The malicious PDF's in the wild contain JavaScript that is used to fill the heap with shellcode," Matt Richard, one of the security researchers who have performed the analysis, explains.
However, reputed vulnerability research company Secunia warns in a
blog post that, while the exploits currently used in attacks are blocked by disabling JavaScript, this does not address the vulnerability itself and remote code execution is still possible. "During our analysis, Secunia managed to create a reliable, fully working exploit, which does not use JavaScript and can therefore successfully compromise users, who may think they are safe because JavaScript support has been disabled," Secunia's Chief Security Specialist Carsten Eiram announces.
Meanwhile, Lurene Grenier, analyst team lead with Sourcefire's Vulnerability Research Team (VRT) has put together what she calls a "homebrew"
unsanctioned patch. "The patch is just a replacement DLL – AcroRd32.dll to be precise. […] Unzip it into C:\Program Files\Adobe\Reader 9.0\Reader\ and allow it to overwrite the old version," the researcher explains. The patch, which is 19 MB in size when unpacked, is only for Adobe Reader version 9, users of version 8 being required to upgrade before applying it.
Obviously, as Ms. Grenier points out, this patch comes with no warranty whatsoever, and while she notes that "It WILL prevent all current attacks using the method I described," there might be other newer attacks, which could bypass it. Therefore, security experts conclude that there isn't much that can be done until Adobe rolls out its own update on March 11th, except for exercising extreme caution regarding the origin of the open PDF files.
Update: This article has been modified to reflect Laurene Grenier's correct gender.
