Adobe preps PDF patches for Reader

Urges users to tweak Reader to protect against no-bug-necessary attacks

Adobe on Thursday will announce the patches it plans to deliver next week for its PDF software, a part of its quarterly security update process.

The impending updates will come on the heels of Adobe urging users yesterday to beef up defenses in Reader and Acrobat. The company also said it may issue a patch for the design flaw, which lets attackers run executable code on a Windows PC from a malformed PDF without needing to exploit an actual vulnerability .

It's unlikely that the patch will appear next week, however.

Like Microsoft , Adobe notifies users prior to issuing security updates for its Adobe Reader and Adobe Acrobat programs, providing bare-bones information to give consumers and corporate administrators a heads-up. Adobe will issue patches for Reader and Acrobat on Tuesday, April 13, the same day Microsoft will also release updates for its operating system and other software.

There are no publicly-known unpatched security vulnerabilities in Adobe Reader and Acrobat, according to the Danish bug-tracking firm Secunia. Any updates next week, then, will address privately-reported vulnerabilities or bugs Adobe's own security engineers have uncovered.

But there is the PDF design issue. Last week, Belgium researcher Didier Stevens demonstrated how a multi-stage attack using the PDF specification's "/Launch" function could successfully exploit a fully-patched copy of Adobe Reader.

Stevens' technique did not require an underlying vulnerability in Adobe Reader, but instead relied on a social engineering approach to dupe users into opening a malicious PDF. The PDF document contained attack code, which Stevens was able to execute by using the /Launch function. Although Reader and Acrobat display a warning when an executable inside a PDF file is launched, Stevens found a way to partially modify the alert to further trick a potential victim into approving the action.

Using Stevens' tactic, hackers would be able to exploit an up-to-date copy of Adobe Reader.

Last week, Adobe acknowledged that Stevens' strategy used a legitimate feature built into Reader and Acrobat, and said it was investigating his claims. At the time, the company declined to say whether it planned to update its software in response.

Yesterday, Adobe softened somewhat, saying it had not ruled out a patch. "We're always looking at options," said company spokeswoman Wiebke Lips. "There are a few options to potentially further protect users." Among those options, she said, was a security update that would patch Reader and Acrobat. Lips declined to commit Adobe to a patch or timetable if the company decides to craft one.

Earlier Tuesday, an Adobe manager echoed Lips . "We are currently researching the best approach for this functionality in Adobe Reader and Acrobat, which we could conceivably make available during one of the regularly scheduled quarterly product updates," said group product manager Steve Gottwals in an entry on a company blog.

Gottwals also pointed out that consumers and corporate IT administrators can block Stevens-style attacks by rejiggering Reader and Acrobat. By clearing a box marked "Allow opening of non-PDF file attachments with external applications" in the programs' preferences pane, consumers can stymie attacks. By default, Reader and Acrobat have the box checked, meaning that the behavior Stevens exploited is allowed.

Administrators can force users' copies of Reader and Acrobat into the same state by pushing a change to Windows' registry, Gotwalls added.

While there are no unpatched PDF vulnerabilities on the loose in the public domain, Adobe does have work to do, a prominent researcher said two weeks ago at the security conference where he won a $10,000 prize for hacking Apple 's Safari browser.

According to Charlie Miller, the only hacker to ever "three-peat" at the Pwn2Own contest , Adobe Reader has at least three, possibly four, unpatched exploitable vulnerabilities.

At the same security conference that hosted Pwn2Own, Miller walked others through the "dumb fuzzing" process he used to root out 20 vulnerabilities in products from Adobe, Apple, Microsoft and Rather than hand over details of the bugs he found to those vendors, Miller urged the companies to find the flaws themselves by replicating his methods.

During Miller's investigation, he ran more than three million PDF documents through his fuzzers -- automated tools that stress-test file formats to uncover possible flaws -- and found four he said were exploitable. At least one of those he called "a nasty bug" because it accounted for more than 30 crashes in a single fuzzed file.

Although representatives from Adobe, Apple and Microsoft were at the CanSecWest conference where Miller presented his findings, only Microsoft's approached him afterward to ask questions about how to duplicate his work, Miller said.

Over Twitter , however, Miller and Brad Arkin, Adobe's director for product security and privacy, traded tweets. "Call me egotistical, but give me 2 years on the Reader team and I'd make a pretty solid proggie," Miller boasted last week in a reply to Arkin.

"Send me your proposal and rate. If you've got a compelling plan I'll be happy to pay for your services," Arkin said later.

When asked after the Twitter exchange if he was taking Adobe's challenge seriously, and would go to work for the company, Miller said, "No, just saying I could make that program solid. They couldn't afford me."

Adobe will release its Reader and Acrobat patch plans Thursday at around 1 p.m. ET.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags adobepdf bugpdf

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Gregg Keizer

Gregg Keizer

Computerworld (US)
Show Comments

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Cate Bacon

Aruba Instant On AP11D

The strength of the Aruba Instant On AP11D is that the design and feature set support the modern, flexible, and mobile way of working.

Dr Prabigya Shiwakoti

Aruba Instant On AP11D

Aruba backs the AP11D up with a two-year warranty and 24/7 phone support.

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers


This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang


It really doesn’t get more “gaming laptop” than this.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?