14 DAY TRIAL // The cybercrime-fighting outfit Shadowserver has released an advisory warning about a critical flaw in Adobe Reader and Acrobat products that is being actively exploited in the wild. The attack vector consists of maliciously-crafted PDF files and successful exploitation gives attackers control over the system.
Shadowserver Foundation contributor Steven Adair explains that the group received samples of the malicious PDF files sometimes last week and that they co-opted security researcher Matt Richard for their analysis. According to their findings, several variants of this attack currently exist in the wild.
"The malicious PDF's in the wild exploit a vulnerability in a non-JavaScript function call. However, they do use some JavaScript to implement a heap spray for successful code execution. The malicious PDF's in the wild contain JavaScript that is used to fill the heap with shellcode," Matt Richard concludes.
The behavior of the exploit can differ, depending on the particular environment. On more powerful systems, the Reader application, could crash when opening the rogue PDF files, before the code execution occurs.
Since this vulnerability affects the last version of Adobe Reader and no security patch has been released to address it, temporary mitigation involves disabling JavaScript for the application. This is achieved by going to Edit -> Preferences -> JavaScript in the Reader menu and unchecking the "Enable Acrobat JavaScript" option. "In this scenario, Adobe will still crash, but the required heap spray will not occur and code execution is not possible," Richard explains.
Adobe has acknowledged the issue and released an advisory of its own, however it says that a security update for the 9.x version will not be released until March 11, while one for 8.x will come at an even later date. "Adobe is in contact with anti-virus vendors, including McAfee and Symantec, on this issue in order to ensure the security of our mutual customers," is noted in the advisory and, indeed, it has been confirmed that several av vendors have released signatures for this exploit.
The concern of the security researchers is that, while the current attacks are rather limited in distribution and target a small number of users, they are likely to evolve very fast. "These types of attacks are frequently the most damaging, and it is only a matter of time before this exploit ends up in every exploit pack on the Internet," Steven Adair thinks, while McAfee's Geok Meng Ong advises that "New variants are expected, as more information is made public."
Previous remote code execution vulnerabilities that affect the 8.x version of Adobe Reader and Acrobat are still successfully being exploited through malicious PDF files, even though the patches have been released months ago. This suggests poor patching practices on behalf of the users and, in comparison, this newly-discovered vulnerability is much more serious and dangerous.