Adobe ‘Protected Mode’ PDF Reader 0-day fix due ‘this week’

Adobe says it will release a patch this week for two previously unseen vulnerabilities that allowed hackers to bypass its ‘Protected Mode’ sandboxing security in Reader and Acrobat X and XI.

The patch for the latest zero day exploit targeting Adobe software will arrive “during the week of February 18, 2013”, according to a weekend update by Adobe, however it has not said precisely when.

Adobe confirmed last week that hackers were exploiting Adobe Reader via malicious PDFs sent to targets as emailed attachments. The flaws affect all current versions of Reader and Acrobat on all desktop platforms.

The patch will fix two vulnerabilities that allowed hackers to bypass “Protected Mode”, a default sandboxing feature of Reader X and XI for Windows that Adobe introduced in 2010. The feature was designed to prevent malware from being installed by running all PDF display processes in a confined environment.

Adobe’s suggested mitigation for recently discovered malicious PDFs that exploited the zero-day flaws was to enable Protected View on Windows installations -- a highly restrictive mode that puts Acrobat it into a “read-only” mode and assumes all PDFs are malicious until the user authorises it to move out of that mode.

Similar features were later added to Reader, however unlike Protected Mode for the two products, Protected View was not on by default as part of Adobe's effort to strike a balance between usability and security, it explains in a developer document.

The PDF exploits that were recently discovered by security firm FireEye were able to bypass Protected Mode sandboxing and beat memory-exploitation prevention measures in Reader and Acrobat.

The fixes due will apply to: Adobe Reader and Acrobat XI (11.0.01 and earlier) for Windows and Macintosh, X (10.1.5 and earlier) for Windows and Macintosh, 9.5.3 and earlier 9.x versions for Windows and Macintosh, and Adobe Reader 9.5.3 and earlier 9.x versions for Linux.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Copyright © 2013 IDG Communications, Inc.

The 10 most powerful cybersecurity companies