14 DAY TRIAL // Security researchers from anti-virus vendor Symantec have detected a maliciously crafted PDF file exploiting the Adobe Reader and Acrobat getIcon() vulnerability. Users are urged to update the two affected products to their 9.1, 8.1.3 or 7.1.1 releases, depending on the version they are using.
According to Symantec's analysis, the malformed PDF targets three distinct remote code execution vulnerabilities: CollectEmailInfo, util.printf and the rather new Collab.getIcon, identified as CVE-2009-0927. This flaw, documented by Adobe in its APSB09-04 security bulletin, has been discovered by Teenable Network Security and reported through TippingPoint's Zero Day Initiative (ZDI).
"The specific flaw exists when processing malicious JavaScript contained in a PDF document. When supplying a specially crafted argument to the getIcon() method of a Collab object, proper bounds checking is not performed resulting in a stack overflow," the ZDI advisory explains.
One interesting aspect about this vulnerability is that there is no known public exploit for it. Two separate commercial proof-of-concept exploits are known to have been developed by VUPEN Security and Core Security Technologies, but none of them is freely available or known to have leaked into the wild.
Another intriguing thing, according to Symantec's Sean Hittel, who has analyzed the exploit, is that it is packaged with the latest Neosploit encoder. "Although some authors have reported that Neosploit is no more, updated iterations of it have continued to appear on our honeypots with regularity," the researcher notes.
Trend Micro, another global provider of security solutions, has detected and reported the same threat. "Cyber criminals have now updated their PDF exploits to include the getIcon() vulnerability (CVE-2009-0927). We currently detect this as TROJ_PIDIEF.OE," JJ Reyes, one of the company's advanced threat researchers, announces.
Due to its wide-spread adoption and the many remote code execution vulnerabilities affecting it, Adobe Reader has become a favorite target for attackers. Malicious PDF files that act as a conduit for other malware have been integrated into the most popular exploit kits and are constantly being served from compromised websites.
These increasing numbers of new attacks targeting already fixed vulnerabilities can only mean one thing – users are slow to deploy patches and upgrade their software. If the propagation of the Conficker worm stands as an example, most of the victims are likely to be corporate users, where .PDF files are particularly popular and patching takes a long time.