This article originally appeared in TidBITS on 2009-10-16 at 8:03 a.m.
The permanent URL for this article is: http://tidbits.com/article/10652
Include images: Off

Protect Yourself from Adobe Acrobat and Reader Vulnerabilities

by Rich Mogull

On 13-Oct-09 Adobe released a major security update [1] for multiple versions of its Adobe Acrobat and Adobe Reader products on Windows, Macs, and Linux platforms for flaws that could allow an attacker to take over vulnerable systems.

Due to Adobe's atrocious security record, I recommend that all Mac users not only immediately patch Adobe Reader and Acrobat, but make sure they set Apple's Preview as their default PDF reader. Unless you need to access PDF files with Adobe's digital rights management protection, or commonly encounter PDF files that it can't display properly, Preview is more than sufficient to meet your day-to-day PDF viewing needs.

Adobe Acrobat, a commercial product used to create PDF files, is harder to replace, but it's also far less commonly needed. Many Mac programs can generate PDF files directly, and Mac OS X has long had a Save as PDF command in the Print dialog, which enables you to turn anything you can print into a PDF. This likely won't meet the needs of marketing professionals, designers, or ebook publishers, but is sufficient for the average home user or office worker.

The latest vulnerabilities affect Adobe Reader 9.1.3 and Acrobat 9.1.3, Adobe Reader 8.1.6 and Acrobat 8.1.6 for Windows, Macintosh and Unix, and Adobe Reader 7.1.3 and Acrobat 7.1.3 for Windows and Macintosh. These vulnerabilities allow an attacker to take over your computer even if all you do is view a maliciously crafted PDF file. For Windows users, this vulnerability was being exploited in the wild before the patch was released (what we in the security field call a "zero day vulnerability").

We have no evidence that Mac users are currently being exploited, but we also don't know of any technical obstacle preventing attackers from targeting Macs. Even on Windows, an attacker has to get you to open a malicious file, and while this attack is in the wild, it's certainly not widespread. In other words, your risk as a Mac user right now is quite low, but it's still prudent to patch.

The vulnerabilities are fixed in Adobe Reader [2] 9.2, 8.1.7, and 7.1.4, and in Adobe Acrobat Pro [3] 9.2, 8.1.7, and 7.1.4. Though Adobe has updater programs, they fail sufficiently frequently that your best bet may be a manual download and update. Note that you will likely have to download and install each interim update in turn; the Acrobat 8.1.7 update, for instance, can install only on 8.1.6, not 8.1.5 or earlier.

This isn't the first time the wings have fallen off the Adobe security plane this year. According to a recent report by the SANS Institute [4], this is at least the third time in the past 7 months that Acrobat and Reader were affected by critical zero day vulnerabilities. While the exploits have targeted Windows users, the vulnerabilities were potentially equally exploitable on Macs.

According to Adobe's security page [5], the company has released nine critical updates, some patching multiple vulnerabilities, for Acrobat and Reader 9.x since February 2009. Adobe has struggled so much with patching that they have switched to a new quarterly patch schedule to help IT administrators keep their systems up to date with the latest security fixes.

With such a poor security record, and considering the PDF support built into Mac OS X for reading and creating documents, it makes little sense to use Reader as your default PDF viewer on a Mac, and Acrobat users should ask themselves if they need the program's extra features.

People who have switched over from Windows, in particular, often install and use Adobe Reader and Acrobat without realizing the native Mac software might already meet their needs. For example, a family member of mine who switched from Windows immediately installed Reader out of habit, not realizing she didn't need it to view most documents (and she has never found a PDF she couldn't view with Preview).

There are exceptions. Preview can't open protected PDF files, and it may not render all PDF documents properly. The PDF file format has become extremely complex over the years, including support for JavaScript, embedded Flash content, and other advanced options. Acrobat includes far more extensive controls and content capabilities than simply printing to PDF, especially if you need to manage image resolutions and formats. Of course, this complexity in Reader and Acrobat is where a lot of these security problems come from in the first place.

Adobe does recognize the risk these security issues create for their business. Earlier this year they launched a major security initiative [6] to improve the quality of their code and their response process. This is a commendable move, but due to the complexity of software development these initiatives usually take years to manifest fully in released products.

Since there is no risk unless you open a malicious file with Reader or Acrobat, one of the best steps you can take to limit the chances of future issues (aside from staying up to date with patches) is to set Preview as your default reader. Not that Preview is perfect, but we have yet to see it face the same number of zero day vulnerabilities or exploits.

Changing your default PDF viewer is easy. Simply Control-click (or right-click) any PDF file and select Get Info. In the Open With section of the Get Info window, choose Preview from the pop-up menu, and click the Change All button.

Your risk of being exploited is so low as to be unmeasurable, but since Adobe products (Reader, Acrobat, and Flash) are currently one of the main sources of cross-platform vulnerabilities, it makes sense to keep them up to date, and use them only when you really need them.

[1]: http://www.adobe.com/support/security/bulletins/apsb09-15.html
[2]: http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh
[3]: http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh
[4]: http://www.sans.org/top-cyber-security-risks/
[5]: http://www.adobe.com/support/security/#readermac
[6]: http://blogs.adobe.com/asset/2009/05/adobe_reader_and_acrobat_secur.html