Adobe Reader vulnerability: what you need to do to stay safe

We had a lively discussion on Google Plus yesterday about the latest Adobe Reader vulnerability (feel free to add me to your circles there to stay in the loop). The vulnerability affects all recent versions of Adobe Reader and Acrobat including the latest release versions. At the time of writing, there is no update available that you can install to protect yourself, your data and your computer from the vulnerability.

The vulnerabilities, which are actively exploited right now on the Internet, can cause Adobe Reader or Acrobat to crash allowing the attacker to take control of systems the software is running on. Adobe is aware of email based attacks that try to trick users into loading attached pdf documents with malware payloads.

Adobe is currently working on a fix to patch the vulnerability in Adobe Reader and Acrobat, but it is not clear yet when the company will release the fix to the public.

The company posted mitigation information on the security advisory page:

Users of Adobe Reader XI and Acrobat XI for Windows can protect themselves from this exploit by enabling Protected View. To enable this setting, choose the "Files from potentially unsafe locations" option under the Edit > Preferences > Security (Enhanced) menu.

Enterprise administrators can protect Windows users across their organization by enabling Protected View in the registry and propagating that setting via GPO or any other method.

adobe reader protected mode screenshot

What's interesting in this regard is that built-in protection blocks attacks from being executed automatically. The real question right now is why it is not enabled by default and what it does.

Protected Mode adds sandboxing to Adobe Reader and Acrobat that prevents malicious PDF documents to launch executable files or write to system directories or the Windows Registry.

Read also:  Portrait Display service makes millions of HP, Fujitsu and Philips notebooks vulnerable

It appears that Protected Mode is enabled in some versions of the program but not in others. The blog post that introduced the feature to the Adobe Reader community in 2010 highlights that Protected Mode will be enabled by default, and it seems that it was for some versions and that Adobe later decided to turn it off by default again.

It is not clear when that happened. A test installation of the latest Adobe Reader version revealed that it is turned off in that version by default. Some users reported that upgrades may also reset some features including Protected Mode.

So, it is highly suggested you check the setting in Adobe Reader if you are running Windows to make sure it is enabled.

It goes without saying that you should also use common sense when you receive pdf documents attached to emails. I'd also suggest to disable the Adobe Reader plugin in the web browser you are using for now. Some browsers, like Chrome and Firefox, offer native PDF readers that you can make use of instead.

Last but not least, switching to a third party program may also take your system out of the firing line.

Please share this article


Responses to Adobe Reader vulnerability: what you need to do to stay safe

  1. Rick February 14, 2013 at 12:51 pm #

    Yet another reason not to use the bloated Adobe Reader.

  2. ilev February 14, 2013 at 12:59 pm #

    I use Portable Sumatra PDF.

  3. Karl Gephart February 14, 2013 at 1:02 pm #

    Thanks for the info! Good to see version X has the Protected View option as well.

  4. Anonymous February 14, 2013 at 2:55 pm #

    I second Sumatra PDF. A long time ago, it was kind of janky, but these days the only reason I keep around Adobe is for the rare "enhanced" PDF with forms or something silly like that.

    You should probably disable javascript by unchecking File/Preferences/Javascript. It's been nothing but trouble since Adobe introduced it to the format.

  5. Tim February 14, 2013 at 3:48 pm #

    Why aren't my comments showing here?

    • Tim February 14, 2013 at 3:53 pm #

      Maybe I missed it, but I can't remember hearing anything to suggest that Adobe fixed the flaw that Group-IB discovered at the end of last year. If you look at the video Group-IB published, you can see that Protected Mode was on for ALL files, but yet they were still able to run an executable.

      The video is at the following link, where at 50 seconds you can see the Protected Mode settings (on for all files) and also at 1.30 & 3.15 you can see the yellow bar in the PDF document to say protected view was on.

      Oh, for some reason, I can't post YouTube links here, so you'll need to search for "Adobe Reader X/XI zero-day flaw found by Group-IB" on YouTube

      So, was the above flaw fixed in 11.0.1? If not, does that mean that the mitigation information Adobe have published on their security advisory page is not really effective anyway?

  6. Transcontinental February 14, 2013 at 6:14 pm #

    Nothing personal, but if you think about it, many if not all Adobe products are problematic, to put it mildly. No wonder why Steve Jobs was not a fan!

  7. Maou February 15, 2013 at 7:22 am #

    No problem, I´m using Pdf Lite.
    Besides flash player I don´t want more bloated software on my computer.

  8. Teiji February 15, 2013 at 11:00 am #

    I've switched to Nitro Reader and never looked back. It's faster and has a super useful built-in virtual printer.

  9. PREM December 17, 2013 at 7:55 pm #



Leave a Reply