Many users haven't patched a vulnerability addressed by Adobe in 2010

Feb 23, 2012 09:14 GMT  ·  By

A remote code execution vulnerability that existed in Adobe Acrobat and Adobe Reader, which the company patched up in 2010, is still being exploited by malware developers that rely on malicious PDF files to ensure the success of their campaigns.

Symantec products stopped many of these PDF attacks this month, the maximum number being recorded on February 16 with close to 3,500 hits.

A detailed analysis of an exploited PDF sample reveals a highly obfuscated JavaScript that makes use of the old vulnerability that refers to an invalid value in a tagged image file format generated by the corruptscthe TIFF parser (LibTIFF).

“The JavaScript was embedded in an XFA object (object 8 in the above figure) in an Acrobat Form. The JavaScript manipulated a subform field by using a reference to an embedded element, “qwe123b” in the example,” Symantec’s Jason Zgang wrote.

“When such an exploited PDF sample is loaded into the vulnerable PDF reading application, the XFA initialize activity is triggered and the embedded JavaScript will be called.”

The JavaScript also constructs the correct exploited TIFF file and the shellcode, which it sprays into the memory, ensuring that the vulnerability is triggered by assigning the image file to the rawValue of the pre-defined form element.

The way in which the malware determines the current version of the PFD reader, by converting the version into an integer that can be compared to a certain threshold that represents the application’s variant, confuses malware analysts and antivirus scanners.

Symantec’s findings basically show that there are still a lot of users who fail to upgrade Adobe Reader and Acrobat, giving malware developers the opportunity to simply upgrade their products to ensure them a high rate of success.

Since Adobe products are usually highly targeted by malicious operations, it’s always recommended that customers update their applications whenever the vendor makes available a new version.