Daily cyber threats and internet security news: network security, online safety and latest security alerts
February 20th, 2009

Fully-patched Adobe Reader 8.1.3 and 9.0.0 Vulnerable To New In-the-wild Attacks

Adobe confirmed yesterday a critical vulnerability affecting Adobe Reader and Acrobat versions 9.0 and earlier, originally detected by the Shadowserver Foundation last week.

The ongoing targeted attacks have since been confirmed by both, Symantec and McAfee urging users to disable JavaScript in Adobe Reader and Acrobat until Adobe issues a patch on the 11th of March. According to Symantec, so far these attacks appear to be targeted and not widespread. Symantec is continuing to monitor the vulnerability’s use in the wild.

While examining the JavaScript code used for “heap-spraying” in these PDFs, it seems that these separate exploit attempts come from the same source. It seems likely that the people behind this threat are using targeted attacks against high-ranking people within different organizations—for example, locating the CEO’s email address on the company website and sending a malicious PDF in the hope that their malicious payload will run. Once the machine is compromised, the attackers may gain access to sensitive corporate documents that could be costly for companies breached by this threat.

The original targeted attacks detected by the Shadowserver Foundation are once again using a well known and previously abused Chinese DNS provider There are multiple variants of the exploit that are actively circulating, one of which installs a remote access trojan known as Gh0st RAT.

“Right now we believe these files are only being used in a smaller set of targeted attacks,” Shadowserver’s advisory read. “However, these types of attacks are frequently the most damaging and it is only a matter of time before this exploit ends up in every exploit pack on the internet.”

Several anti-virus programs are already detecting the booby-trapped PDFs. Trend Micro and Symantec flag the attack as TROJ_PIDIEF.IN and Trojan.Pidief.E respectively. Both companies rate the threat as low, but this analysis appeared to be a week old, so it’s likely attackers have stepped up the exploit since then.

Adobe has issued an advisory acknowledging a “critical vulnerability” in Reader. Updates won’t be available until March 11 for version 9 and a later date for earlier versions. InsecureWeb has also issued details here.

The toxic PDFs attack a vulnerability that resides in a non-javascript call and “use some javascript to implement a heap spray for successful code execution,” according to an analysis security researcher Matthew Richard provided for Shadowserver. “The malicious PDFs in the wild contain javascript that is used to fill the heap with shellcode.”

Users can disable JavaScript in Adobe Reader and Acrobat until Adobe by clicking “Edit -> Preferences -> JavaScript” and uncheck “Enable Acrobat JavaScript”.

Share this item with others:

More on CyberInsecure:
  • Buffer Overflow Critical Vulnerabilities In Adobe Reader And Acrobat
  • Critical Flash Player, Acrobat, Reader Vulnerability Exploited In The Wild
  • Adobe Patches Older Reader PDF Flaw, In Total 8 Vulnerabilities Patched
  • Exploit Posted For Adobe Reader PDF Zero-day Vulnerability In ‘getAnnots()’ Javascript Function
  • Unpatched 0-day PDF Flaw Harnessed To Launch Targeted Attacks

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Fully-patched Adobe Reader 8.1.3 and 9.0.0 Vulnerable To New In-the-wild Attacks

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.