Current State of Adobe Reader Patch Management
Written 15 May 2009
In this article I will outline the current state of Adobe PDF security and offer ideas on how to best manage your way through the current outbreaks.
The has been a dramatic increase in the number of real world attacks using Adobe's PDF document format over the past past several months.
Malicious PDFs have been part of the threat landscape for the past few years, but recent months have witnessed a sharp increase in their use. Microsoft recently released a report saying that the number of PDF-related attacks they have measured doubled each monthin the second half of 2008. F-secure recently released a report saying that roughly 48% of document-related attacks come as PDFs. Take a look at your own antivirus reporting. Organizations that do might be surprised to see that maybe 2 to 3 of the top 5 classes of attacks thrown at them and caught by their antivirus solutions are arriving in PDF form. How many malicious PDFs are making it past your AV scanners?
Most organizations cannot simply disallow or block PDFs entirely without seriously impacting their organization's ability to function. That leaves antivirus, IPS, secure endpoint configurations, and Adobe product patching as a reasonable set of defensive measures against the malicious PDF threat.
A well maintained and effective antivirus solution on the border (email servers, web proxies, etc) as well as on all Windows endpoints is absolutely essential. I won't go further into the subject of antivirus in this article. In my experience to date, even the top tier IPS solutions deployed in typical enterprise environments are detecting only a small percentage of current in the wild malicious PDFs - at least as deployed in typical enterpise environments.
Patching Adobe Reader and Adobe Acrobat to the latest secure version from Adobe is definitely the most effective defense, but that hasn't proven to be easy recently. Most of the fault appears to fall on Adobe's doorstep. Patches aren't released fast enough, and Adobe stops releasing patches for Adobe versions that are still widely deployed. A recent example helps illustrate the problem.
In early January 2009, the person who discovered the recent JBIG2 vulnerability was shopping around for potential buyers. The asking price was $75,000 USD. They approached of all the normal buyers in this market including : the US government, the Chinese government, some other foreign governments, Tipping Point, and iDefense. The eventual buyer was in China, but the buyer wasn't the Chinese government. We started seeing exploits in the wild shortly thereafter as the buyer needed to take advantage of his/her new capability. There has been some speculation that this was used to help seed Ghostnet, but that claim hasn't been substantiated at this point. At any rate, it wasn't until over TWO MONTHS later that Adobe released the first patched version of Adobe Reader. Even then, Adobe only released a full installer for version 9.x, and only MSP patch files for versions 7.1.1 and 8.1.4.
Again in May 2009 when Adobe released patches for the newest set of vulnerabilities, they only released a full installer for 9.x and MSPs for 7.1.2 and 8.1.5.
Is it over? What does the future hold for us?
Word in the underground is that more Adobe Reader exploits exist in private collections - around
15 more at the moment. In short, 2009 is looking like it will continue to busy time for PDF exploits, and that trend might continue into 2010 and beyond depending on what Adobe does in terms of improving their own secure development processes, requiring mandatory fuzzing for their remotely exploitable products, and putting in place more effective processes for quickly and accurately releasing patches to protect their customers as vulnerabilites are reported.
What Can I Do About All of This to Protect My Organization?
For the near term we can expect this trend to continue, and possibly increase.
Why buy software packages and automation solutions from us?
- We offer the best value, quality, and service in the business
- We provide stunningly good world-class support
- We give you a single, easy-to-deploy EXE or MSI that handles everything required for the operating system patch
- We will answer your support questions completely, correctly, and promptly
- We know A LOT about how to quickly initiate, execute, and complete successful software packaging and deployment projects.
- We don't accept payment until you are satisifed with our work, so you can shop with confidence with us.
The price for most simple packaging jobs is normally around : US $500 - $1000 depending on the cirumstances. If for any reason you are not completely satisifed with the work and follow-on support, we will refund 100% of the purchase price. Please contact firstname.lastname@example.org to discuss your software packaging needs.