14 DAY TRIAL // The yet-unpatched critical vulnerability affecting up-to-date versions of Adobe Reader and Acrobat has just become more dangerous. A security consultant has demonstrated how to exploit the bug without needing to actually open a malformed PDF file.
It's been a little over two weeks since members of the cyber-crime fighting outfit "The Shadowserver Foundation" warned about a 0-day serious vulnerability in Adobe Reader and Acrobat, which was being exploited in the wild through maliciously-crafted PDF files.
Adobe acknowledged the vulnerability in an advisory, but only scheduled a patch for March 11, a rather long period of time for a 0-day flaw that baffled security experts. Things got even more serious when researchers from vulnerability intelligence company Secunia later announced that they had developed a working proof-of-concept exploit for it that did not rely on JavaScript.
This posed significant problems, since an initially-suggested workaround for the issue involved disabling JavaScript in Adobe Reader and Acrobat, because the exploits detected in the wild required it. However, what Didier Stevens, IT security consultant at Contraste Europe, has just recently demonstrated is far more scarier than Secunia's exploit.
According to Mr. Stevens, "Sometimes, a piece of malware can execute without even opening the file. As this is the case with the /JBIG2Decode vulnerability in PDF documents." In order to demonstrate this concept, the researcher has made use of two already available exploits and a custom one that he created himself.
As he explains, this behavior is possible due to the Windows Shell Extension that Adobe Reader and Acrobat install. This is called "Column Handler Shell Extension," and is responsible with feeding Windows Explorer with additional columns of information when listing PDF files in a directory. The existence of this shell extension opens the door to three distinct attack scenarios.
The first one involves clicking on the file to select it in Windows Explorer (single click). This action will cause the extension to actually read it in order to gather the extra information to display. The second type of attack occurs if the "Thumbnail view" option is selected in Windows Explorer. In order to generate a thumbnail, the first page of the PDF document has to be read, again executing any malicious code it contains.
The third and most intriguing scenario employs the custom PDF file that Mr. Stevens has created. This file stores the malicious stream object in the metadata instead of its pages. The information stored in the file metadata is read by Windows Explorer through the shell extension in order to generate mouse-over tooltips. Therefore, by hovering the mouse pointer over a malformed PDF file, the exploit code will be automatically executed.
It remains to be seen if this latest development will compel Adobe to release an unscheduled patch before March 11. Regardless of this fact, everyone should "be very careful when you handle malicious files," the security consultant warns. "[...] Always change the extension of malware (trojan.exe becomes trojan.exe.virus) and handle them in an isolated virus lab. Outside of that lab, [...] encrypt the malware," he advises.