Recently Patched Adobe Reader Flaw Used By Miscreants To Hijack PCs
Three days after Adobe rushed out a critical update, miscreants are actively exploiting a security flaw to execute malicious code on vulnerable machines. According to SANS Internet Storm Center, researchers have spotted infected PDF files being circulated online. The discovery comes on the heels of the public release of proof-of-concept code exploiting CVE-2008-2992. According to SANS, none of the 32 top anti-virus programs were detecting the malicious files.
The PDFs are being spread using drive-by advertisements on sites deemed “suspicious.” At the moment, distribution is fairly light, but it would probably change soon. Once the rigged PDF is opened, the exploit calls the mshta application in Windows to execute HTA files. It retrieves the trojan from a different web site and executes it on the infected machine.
The payload is in a JavaScript object embedded in the PDF document. Once extracted, it just contains first level obfuscation with a simple eval(unescape()) call. Once deobfuscated, parts of the publicly posted PoC are visible, but the attackers also modified certain parts.
Like Adobe’s Flash animation player, Reader can be a pain to keep updated. The program comes with an automatic update feature, but it sometimes takes weeks to actually get around to installing critical updates. Versions 8.1.2 and earlier are vulnerable to these attacks. Protect yourself by patching now:
Windows: http://www.adobe.com/support/downloads/detail.jsp?ftpID=4084
Mac: http://www.adobe.com/support/downloads/detail.jsp?ftpID=4093
Linux/Solaris: http://www.adobe.com/support/downloads/detail.jsp?ftpID=4094
More on CyberInsecure:
Leave a Reply
Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.