Fully-patched Adobe Reader 8.1.3 and 9.0.0 Vulnerable To New In-the-wild Attacks
Adobe confirmed yesterday a critical vulnerability affecting Adobe Reader and Acrobat versions 9.0 and earlier, originally detected by the Shadowserver Foundation last week.
The ongoing targeted attacks have since been confirmed by both, Symantec and McAfee urging users to disable JavaScript in Adobe Reader and Acrobat until Adobe issues a patch on the 11th of March. According to Symantec, so far these attacks appear to be targeted and not widespread. Symantec is continuing to monitor the vulnerability’s use in the wild.
While examining the JavaScript code used for “heap-spraying” in these PDFs, it seems that these separate exploit attempts come from the same source. It seems likely that the people behind this threat are using targeted attacks against high-ranking people within different organizations—for example, locating the CEO’s email address on the company website and sending a malicious PDF in the hope that their malicious payload will run. Once the machine is compromised, the attackers may gain access to sensitive corporate documents that could be costly for companies breached by this threat.
The original targeted attacks detected by the Shadowserver Foundation are once again using a well known and previously abused Chinese DNS provider js001.3322.org. There are multiple variants of the exploit that are actively circulating, one of which installs a remote access trojan known as Gh0st RAT.
“Right now we believe these files are only being used in a smaller set of targeted attacks,” Shadowserver’s advisory read. “However, these types of attacks are frequently the most damaging and it is only a matter of time before this exploit ends up in every exploit pack on the internet.”
Several anti-virus programs are already detecting the booby-trapped PDFs. Trend Micro and Symantec flag the attack as TROJ_PIDIEF.IN and Trojan.Pidief.E respectively. Both companies rate the threat as low, but this analysis appeared to be a week old, so it’s likely attackers have stepped up the exploit since then.
Adobe has issued an advisory acknowledging a “critical vulnerability” in Reader. Updates won’t be available until March 11 for version 9 and a later date for earlier versions. InsecureWeb has also issued details here.
The toxic PDFs attack a vulnerability that resides in a non-javascript call and “use some javascript to implement a heap spray for successful code execution,” according to an analysis security researcher Matthew Richard provided for Shadowserver. “The malicious PDFs in the wild contain javascript that is used to fill the heap with shellcode.”
Users can disable JavaScript in Adobe Reader and Acrobat until Adobe by clicking “Edit -> Preferences -> JavaScript” and uncheck “Enable Acrobat JavaScript”.
More on CyberInsecure:
Leave a Reply
Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.