14 DAY TRIAL // Two different vulnerabilities in Microsoft and Adobe software were used by hackers in a combined exploit targeting Windows systems before eventually being addressed by both companies in their patching cycles earlier this month.
Security vendor ESET says in an in-depth analysis that it discovered a malicious PDF on a public mirror that was supposed to be used for launching attacks against Windows hosts. The document included JavaScript code and a crafted JPEG2000 image to take advantage of vulnerability CVE-2018-4990 in Adobe Reader.
Successfully exploiting the remote-code execution flaw in this application would have provided attackers with rights ro read and write in memory.
In order to break the sandbox, hackers would have then turned to a second vulnerability documented as CVE-2018-8120 and representing a privilege escalation bug in Windows.
Fancy Bear-inspired approach
This time, the security issue affects the Win32k component, which can be hijacked to run arbitrary code on the compromised system, which technically means that hackers would have obtained full control over the target computer.
“The use of the combined vulnerabilities is extremely powerful, as it allows an attacker to execute arbitrary code with the highest possible privileges on the vulnerable target, and with only the most minimal of user interaction,” ESET security researcher Anton Cherepanov, who also discovered the vulnerabilities and reported them to parent companies, explained in the analysis.
There’s evidence, however, that the exploit was still under development when it was detected, as the PDF sample did not contain a final payload.
On the other hand, Cherepanov notes that combining exploits is a very advanced technique that hackers like the Russian group Fancy Bear is believed to be using. However, there’s no proof that Russian hackers have been involved in these attacks.
Microsoft and Adobe have already released patches for the two vulnerabilities combined in this exploit, so users are recommended to install them as soon as possible.