Adobe Acrobat, Reader Under Attack From Zero-Day Exploit

[err0r]

Adobe on Tuesday warned that attacks were actively exploiting a previously unknown, "critical" vulnerability in Adobe Acrobat and Reader.

 

The zero-day bug has been confirmed in all versions of 8 and 9 Acrobat and Reader releases for Windows, Macintosh, and Unix, including the latest versions, 8.2.4 and 9.3.4. A successful attack will exploit a user's system.

 

Hacker explains how to use non-tech ways to break technical security models Confidential information is everywhere, so it must be protected

Rohati, A New Company In The Security Space, Provides Identity and Access Control At Application Laye

 

According to an advisory published by security information service Secunia, "the vulnerability is caused due to a boundary error within the font parsing in CoolType.dll and can be exploited to cause a stack-based buffer overflow."

 

The vulnerability employs a PDF file with built-in malicious code, which arrives as an e-mail attachment. Executing the PDF kicks off a variety of activities, including dropping an executable file into a temporary directory and attempting to run it. The dropped file, in a move reminiscent of Stuxnet, also carries a valid digital signature, in this case from Vantage Credit Union in St. Louis, said security researcher Roel Schouwenberg at Kaspersky Lab.

 

"The exploit is pretty basic," he said, but interestingly it employs return-oriented programming (ROP) to bypass some vulnerability mitigation techniques built into Windows Vista and 7. "More widespread usage of ROP for exploits is something I've been expecting for a while," he said, thanks to the increasing consumer and corporate adoption of both.

 

While Adobe hasn't detailed any mitigation techniques for the vulnerability, "it seems that turning off JavaScript in Adobe Reader prevents the known samples of the exploit from running," said Qualys CTO Wolfgang Kandek.

 

The sticker is the "known samples" caveat. Security researchers are still studying versions of the attack found in the wild, which means that some as-yet-unseen variations may be immune to disabling JavaScript. Regardless, "we recommend turning off JavaScript in Adobe Reader and consider it a best practice for normal desktop usage," said Kandek.

 

Source: Mathew Schwartz