September 2, 2014

Adobe Acrobat source code stolen along with 2.9 million customer records

adobe-logo(LiveHacking.Com) – Adobe has suffered what it is calling a series of “sophisticated attacks” on its network, resulting in the theft of customer information as well as source code for numerous Adobe products including Adobe Acrobat.

It is currently thought that the attackers stole Adobe customer IDs and encrypted passwords as well as personal and financial information relating to 2.9 million of its customers. The data stolen includes customer names, encrypted credit or debit card numbers and expiration dates.

As a result of the breach Adobe has reset all the  relevant customer passwords, and notified the customers whose credit or debit card information was taken. Adobe is also offering the customers, whose card information was taken, the option of a one-year complimentary credit monitoring membership. Adobe has also notified the banks that process its customer payments and have contacted the relevant federal law enforcement agencies.

In what is being seen as a related incident, Adobe is investigating the unauthorized access of source code for Adobe Acrobat, ColdFusion and ColdFusion Builder.  Brian Krebs, a former reporter for The Washington Post and renowned security expert spotted a 40 GB source code dump stored on a server used by some known cyber criminals. The dump contained huge repositories of uncompiled and compiled code that appeared to be for ColdFusion and Adobe Acrobat. Krebs told Adobe about the source dump, Adobe then revealed to Krebs that the company has been investigating a security breach into its networks since Sept. 17, 2013.

“We are in the early days of what we expect will be an extremely long and thorough response to this incident,” said Adobe’s Chief Security Officer Brad Arkin. “We’re still at the brainstorming phase to come up with ways to provide higher levels of assurance for the integrity of our products, and that’s going to be a key part of our response. We are looking at malware analysis and exploring the different digital assets we have. Right now the investigation is really into the trail of breadcrumbs of where the bad guys touched.”

Adobe isn’t aware of any zero-day exploits targeting any Adobe products. However, as always, it recommends that customers use only supported versions of its software and apply all available security updates.

In an unrelated announcement, Adobe confirmed it will it will be releasing critical security updates next Tuesday for Adobe Acrobat and Adobe Reader.

In Brief: Adobe fixes at least 26 security problems in Adobe Acrobat and Adobe Reader

pdf_icon(LiveHacking.Com) –  Along with its update to Flash, Adobe has released updates that fix at least 26 security problems in Adobe Acrobat and Adobe Reader. The update for the popular PDF file reader and its companion PDF creator is available for Windows, OS X and Linux.

These update addresses vulnerabilities that could cause a crash and possibly allow an attacker to run arbitrary code on an affect system. Details of the bugs fixed are:

  • Memory corruption vulnerabilities that could lead to code execution (CVE-2012-1530, CVE-2013-0601, CVE-2013-0605, CVE-2013-0616, CVE-2013-0619, CVE-2013-0620, CVE-2013-0623).
  • Use-after-free vulnerability that could lead to code execution (CVE-2013-0602).
  • Heap overflow vulnerabilities that could lead to code execution (CVE-2013-0603, CVE-2013-0604).
  • Stack overflow vulnerabilities that could lead to code execution (CVE-2013-0610, CVE-2013-0626).
  • Buffer overflow vulnerabilities that could lead to code execution (CVE-2013-0606, CVE-2013-0612, CVE-2013-0615, CVE-2013-0617, CVE-2013-0621).
  • Integer overflow vulnerabilities that could lead to code execution (CVE-2013-0609, CVE-2013-0613).
  • Local privilege escalation vulnerability (CVE-2013-0627).
  • Logic error vulnerabilities that could lead to code execution (CVE-2013-0607, CVE-2013-0608, CVE-2013-0611, CVE-2013-0614, CVE-2013-0618).
  • Security bypass vulnerabilities (CVE-2013-0622, CVE-2013-0624).

Affected Versions

  • Adobe Reader XI (11.0.0) for Windows and Macintosh
  • Adobe Reader X (10.1.4) and earlier 10.x versions for Windows and Macintosh
  • Adobe Reader 9.5.2 and earlier 9.x versions for Windows and Macintosh
  • Adobe Reader 9.5.1 and earlier 9.x versions for Linux
  • Adobe Acrobat XI (11.0.0) for Windows and Macintosh
  • Adobe Acrobat X (10.1.4) and earlier 10.x versions for Windows and Macintosh
  • Adobe Acrobat 9.5.2 and earlier 9.x versions for Windows and Macintosh