DSD advice regarding release of Adobe Reader XI

Download DSD Broadcast: DSD advice regarding release of Adobe Reader XI (PDF), November 2012

Summary

  1. One of the most effective of DSD's Strategies to Mitigate Targeted Cyber Intrusions includes using the latest version of third party applications. DSD continues to observe agencies using unpatched or older versions of applications.
  2. Adobe Reader XI, released on 1 October 2012, is the latest version of Adobe Reader and features enhanced security functionality. Adobe Reader XI builds upon a significant security technology enhancement - 'Protected Mode' - first introduced in Adobe Reader X. Protected Mode is a sandboxing technology which is making the successful exploit of vulnerabilities far more difficult for malicious cyber actors.
  3. As both Adobe Reader X and XI incorporate this sandboxing technology, DSD recommends that agencies using Adobe Reader as their Portable Document Format (PDF) viewer implement Adobe Reader X or higher, where possible, to help mitigate the risk of PDF-based cyber intrusion.

Details

Risks involved with PDFs

  1. As observed by the Cyber Security Operations Centre (CSOC), PDF documents are consistently one of the most common attachment types used to deliver malicious software (malware) in cyber intrusions.
    1. So far in 2012, socially-engineered emails have comprised approximately 80% of the known intrusion methods used in cyber security incidents the CSOC has responded to. Almost one-third of the attachments used were PDF files.
  2. Exploiting Adobe Reader vulnerabilities is a popular way of compromising agency networks because agencies rely heavily on PDF documents to conduct their business, including as email attachments which users often open by default. Malware kits including PDF-based exploits are readily available and many agencies continue to use unpatched or older versions of PDF readers, placing themselves at greater risk of compromise.

Enhanced security with Protected Mode

  1. Adobe Reader X introduced a significant enhancement to security through the Protected Mode feature. Protected Mode is a sandboxing technology that treats all PDFs as malicious and relies on the principle of least privilege to reduce both Adobe Reader's attack surface and the consequences of exploitation.
  2. In Protected Mode, all processing required to display a PDF takes place in a separate, confined execution environment known as a sandbox. To carry out a successful cyber intrusion, a malicious cyber actor would first have to exploit a vulnerability in Adobe Reader, and then use another exploit to escape the sandbox.
  3. For this reason, DSD advises that, where possible, agencies using Adobe Reader as their PDF viewer implement Adobe Reader X or higher.

Further information

  1. Further guidance on how to mitigate PDF-based cyber intrusion can be found in DSD's Protect publications Strategies to Mitigate Targeted Cyber Intrusions and Malicious Email Mitigation Strategy Guide.
  2. Further information about Adobe products can be found on the Adobe website.

Contact

Australian government customers with questions regarding this advice can contact ASD Advice and Assistance.

Australian businesses and other private sector organisations seeking further information should contact CERT Australia.