IT’S PDF TIME:
We heard and read IE, Java, and Flash zero-days in a row in the past several months, and now it’s PDF’s turn. Security experts identified that a PDF zero-day is being exploited in the wild, and observed successful exploitation on the latest Adobe PDF Reader 9.5.3, 10.1.5, and 11.0.1.
Upon successful exploitation, it will drop two DLLs. The first DLL shows a fake error message and opens a decoy PDF document, which is usually common in targeted attacks. The second DLL in turn drops the call back component, which talks to a remote domain.
Adobe said there are two vulnerabilities (CVE-2013-0640 and CVE-2013-0641) affecting Adobe Reader and Acrobat XI (11.0.01 and earlier), X (10.1.5 and earlier) and 9.5.3 and earlier for Windows and Mac OS X systems. Active exploits are using malicious PDFs attached to phishing messages purporting to be a travel visa application called Visa form Turkey.pdf.
Protected View was introduced into Acrobat in version 10.1 and Reader in 11.0 for Windows; it is a read-only mode that blocks executable files until the user decides the document is trustworthy.
Protected View (Windows only)
Protected View provides an additional level of security. When Protected View in enabled, PDFs are displayed in a restricted environment called a sandbox. This isolation of the PDFs reduces the risk of security breaches in areas outside the sandbox. Adobe strongly recommends that you use Acrobat in Protected View if you are concerned about security, or if you frequently interact with PDFs on the Internet.
When Protected View is enabled, only basic navigation is allowed. For example, you can open PDFs, scroll through pages, and click links. You can enable Protected View in a PDF that you view in either stand-alone Acrobat or in a web browser.
If you trust the PDF and where it came from, click Enable All Features. The PDF is added to your list of privileged locations and is trusted from then on.
Enable Protected View
Unlike Protected Mode in Reader, Protected View in Acrobat is off by default.
- Choose Edit > Preferences.
- From the categories on the left, select Security (Enhanced).
- Select the Enable Enhanced Security option.
You can find out whether a PDF opened in a browser is in Protected View. Right-click the document in the browser and choose Document Properties. Click the Advanced tab. When Protected View is enabled, the status says Protected Mode: On.