Adobe preps PDF patches for Reader

Urges users to tweak Reader to protect against no-bug-necessary attacks

Adobe on Thursday will announce the patches it plans to deliver next week for its PDF software, a part of its quarterly security update process.

The impending updates will come on the heels of Adobe urging users yesterday to beef up defenses in Reader and Acrobat. The company also said it may issue a patch for the design flaw, which lets attackers run executable code on a Windows PC from a malformed PDF without needing to exploit an actual vulnerability .

It's unlikely that the patch will appear next week, however.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Adobe on Thursday will announce the patches it plans to deliver next week for its PDF software, a part of its quarterly security update process.

The impending updates will come on the heels of Adobe urging users yesterday to beef up defenses in Reader and Acrobat. The company also said it may issue a patch for the design flaw, which lets attackers run executable code on a Windows PC from a malformed PDF without needing to exploit an actual vulnerability .

It's unlikely that the patch will appear next week, however.

Like Microsoft , Adobe notifies users prior to issuing security updates for its Adobe Reader and Adobe Acrobat programs, providing bare-bones information to give consumers and corporate administrators a heads-up. Adobe will issue patches for Reader and Acrobat on Tuesday, April 13, the same day Microsoft will also release updates for its operating system and other software.

There are no publicly-known unpatched security vulnerabilities in Adobe Reader and Acrobat, according to the Danish bug-tracking firm Secunia. Any updates next week, then, will address privately-reported vulnerabilities or bugs Adobe's own security engineers have uncovered.

But there is the PDF design issue. Last week, Belgium researcher Didier Stevens demonstrated how a multi-stage attack using the PDF specification's "/Launch" function could successfully exploit a fully-patched copy of Adobe Reader.

Stevens' technique did not require an underlying vulnerability in Adobe Reader, but instead relied on a social engineering approach to dupe users into opening a malicious PDF. The PDF document contained attack code, which Stevens was able to execute by using the /Launch function. Although Reader and Acrobat display a warning when an executable inside a PDF file is launched, Stevens found a way to partially modify the alert to further trick a potential victim into approving the action.

Using Stevens' tactic, hackers would be able to exploit an up-to-date copy of Adobe Reader.

Last week, Adobe acknowledged that Stevens' strategy used a legitimate feature built into Reader and Acrobat, and said it was investigating his claims. At the time, the company declined to say whether it planned to update its software in response.

Yesterday, Adobe softened somewhat, saying it had not ruled out a patch. "We're always looking at options," said company spokeswoman Wiebke Lips. "There are a few options to potentially further protect users." Among those options, she said, was a security update that would patch Reader and Acrobat. Lips declined to commit Adobe to a patch or timetable if the company decides to craft one.

Earlier Tuesday, an Adobe manager echoed Lips . "We are currently researching the best approach for this functionality in Adobe Reader and Acrobat, which we could conceivably make available during one of the regularly scheduled quarterly product updates," said group product manager Steve Gottwals in an entry on a company blog.

Gottwals also pointed out that consumers and corporate IT administrators can block Stevens-style attacks by rejiggering Reader and Acrobat. By clearing a box marked "Allow opening of non-PDF file attachments with external applications" in the programs' preferences pane, consumers can stymie attacks. By default, Reader and Acrobat have the box checked, meaning that the behavior Stevens exploited is allowed.