Recent Vulnerabilities in Adobe Reader Due to Scripting

Somewhere, the creators of Adobe Reader are weeping.

And if they’re not, it won’t be long until they do; with all of the recent vulnerabilities swirling around Adobe Reader, things are going from bad to worse.

But just how bad is bad?

According to CNET, at the RSA security conference earlier this month, F-Secure Chief Research Officer Mikko Hypponen said that users should go so far as to switch their .PDF readers altogether due to the security issues with Adobe Reader. (You can check out a list of alternate .PDF readers here.)

While swearing off Adobe Reader altogether might seem a bit a bit extreme, it’s gotten to the pointwhere avoiding it might be the best thing to do. Since the beginning of this year, more than 47 percent of attacks exploit holes in Acrobat Reader, while six vulnerabilities target Adobe Reader specifically (CNET).

The question that many people are asking is, “how did it get this bad?” We’re going to risk beating a dead horse when answering this question, since a lot of the problems with Adobe Reader can be traced back to an issue that we’ve talked about frequently during the past few months: Disabling scripting by default. We’re constantly advocating the disabling of scripting by default, and the recent vulnerabilities found in Adobe Reader offer yet another reason why it’s a good idea to go no-script.

According to the recent advisory by US-CERT, it’s the “getAnnots()” JavaScript function in Adobe Reader that allows users to be exploited and allows attackers to execute code on the workstation remotely. 

While the obvious answer to the “getAnnots()” problem is to disable scripting, we can accept (albeit reluctantly) that having scripting disabled by default might never happen. That’s why an alternative solution would be to have a white list. Creating a white list is not only more effective, but also less time-consuming than creating a black list. Providing users with the ability to augment the white lists in their profile would afford them the flexibility to view non-mainstream sites like NovaInfosecPortal.

But this is one of those topics where we really want to put a call out to all of you about what can be done to help fix the current problems associated with scripting, and how some of these problems can be avoided in the future. What are you currently working on (whether at work or at home) to make sure that you, your family, and your workplace isn’t taken advantage of due to scripting? Leave a comment or send us a tweet @grecs.

###

If you’re looking for some additional ways to keep your company—and yourself—a little safer, we’ve put together a handy list of books that might do the trick. 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.