Attacks/Breaches
2/15/2013
06:45 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

New Zero-Day Attacks Cheat Key Security Features In Adobe Reader, Acrobat

Use Protected Mode until patch is available for sophisticated attacks, Adobe says

This article was updated on 2/15/13 with more information on reports of a previous sandbox bypass

Attacks are under way exploiting the newest versions of Adobe's PDF sandbox and other protections -- sure signs that sophisticated, well-funded attackers are likely behind this latest wave of threats to the popular software, according to security experts who have studied the malware.

Adobe late yesterday confirmed that two "critical" newly discovered flaws -- CVE-2013-0640, CVE-2013-0641 -- in Adobe Reader and Acrobat XI (11.0.01 and earlier), Acrobat X (10.1.5 and earlier), and Acrobat 9.5.3 and earlier for both Windows and Macintosh could let an attacker wrest control of the victim's machine after crashing the application. The attacks send users an email with a rigged PDF file, bypass the sandbox feature in Adobe Reader 10, and bypass the Protected Mode sandbox in Reader XI.

The software vendor is working on an emergency fix; in the meantime, it recommends that users enable the Protected View setting in Adobe Reader XI and Acrobat XI for Windows.

Security vendor F-Secure recommends also selecting "All files" under Protected View, rather than the "Files from potentially unsafe locations" option suggested by Adobe.

[UPDATE/Clarification, 02/15/13]:
It may not be the first time Adobe's sandbox feature has been beaten in an exploit, however, notes Zheng Bu, senior director of research for FireEye, which first spotted the zero-day attack in the wild and contacted Adobe. "We had seen a [sandbox] bypass late last year," he says, referring to a report that Group-IB claims to have bypassed the sandbox.

Adobe says there is no evidence of the previous sandbox bypass attack, despite its efforts to get a proof-of-concept from Group-IB.

Bu says the new attack is advanced. "This is a very sophisticated attack. It ... bypasses ASLR [Address Space Layout Randomization] and Adobe sandbox. These technologies were introduced to the system level and the application level to make exploitation harder; they have been quite effective for a while," Bu says. But security researchers have demonstrated that these techniques can be beaten, he says.

"We are starting to see this bypassing ASLR has been readily used [like with] this zero-day exploit," he says. "The threat landscape is changing, and we really need new technologies. I would say Adobe needs to continue to innovate and better protect its customers."

The attack so far has been in the form of an email with a malicious PDF file attachment named "visa.form.turkey.PDF," which looks a lot like an authentic Turkey visa application, Bu says.

Once the victim opens the file, three binaries are dropped: a loader, a command and control module, and another binary that downloads additional malware. "This is a malware suite -- with many binaries in the payloads," he says, adding that the malware was created on Feb. 4.

FireEye's Bu declined to speculate on who might be behind the latest Adobe zero-day attack.

[Successes by Adobe, Google, and Apple to reduce privileges through sandboxing has reduced exploits in their software, but the technique is far from perfect. See The Pros And Cons Of Application Sandboxing.]

Other researchers have tested samples of the malicious PDF. Chaouki Bekrar, CEO and head of research at VUPEN, says the first bug allows the code execution inside the sandbox, and then second bug is exploited to escape the sandbox and execute the final payload. "After installing the Trojan, the exploit displays a fake PDF, which is a Visa form for a specific country," Bekrar says.

"This is the first seen-in-the-wild exploit combining multiple zero-day vulnerabilities to bypass ASLR and the sandbox," Bekrar says, and "it's a typical offensive exploit used by law enforcement agencies to track and infect criminals' computers and investigate their illegal activities."

Bekrar says the authors of the exploit appear to be very skilled, and writing and testing "this reliable code" likely took some time, he says.

He says while Adobe and Google have the most "robust" sandboxes, that doesn't mean they can't be cheated by attackers with enough resources and time.

Other experts concur that sophisticated attackers are indeed finding ways around the newest security controls in Adobe and other apps to sneak in and stay under the radar. "The use of evasive code is becoming a regular occurrence for malware writers, and it is important for organizations to closely examine their current network security measures to ensure they discover these threats before it causes costly damage and theft," says Dr. Giovanni Vigna, founder and CTO of Lastline and director of the Cybersecurity Center at UC Santa Barbara.

It's been a rough week for Adobe: It had just issued security updates for Flash Player, Shockwave Player, and AIR on Tuesday.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3409
Published: 2014-10-25
The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406.

CVE-2014-4620
Published: 2014-10-25
The EMC NetWorker Module for MEDITECH (aka NMMEDI) 3.0 build 87 through 90, when EMC RecoverPoint and Plink are used, stores cleartext RecoverPoint Appliance credentials in nsrmedisv.raw log files, which allows local users to obtain sensitive information by reading these files.

CVE-2014-4623
Published: 2014-10-25
EMC Avamar 6.0.x, 6.1.x, and 7.0.x in Avamar Data Store (ADS) GEN4(S) and Avamar Virtual Edition (AVE), when Password Hardening before 2.0.0.4 is enabled, uses UNIX DES crypt for password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force a...

CVE-2014-4624
Published: 2014-10-25
EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) 6.x and 7.0.x through 7.0.2-43 do not require authentication for Java API calls, which allows remote attackers to discover grid MCUser and GSAN passwords via a crafted call.

CVE-2014-6151
Published: 2014-10-25
CRLF injection vulnerability in IBM Tivoli Integrated Portal (TIP) 2.2.x allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.