Attacks/Breaches
2/15/2013
06:45 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%
Repost This

New Zero-Day Attacks Cheat Key Security Features In Adobe Reader, Acrobat

Use Protected Mode until patch is available for sophisticated attacks, Adobe says

This article was updated on 2/15/13 with more information on reports of a previous sandbox bypass

Attacks are under way exploiting the newest versions of Adobe's PDF sandbox and other protections -- sure signs that sophisticated, well-funded attackers are likely behind this latest wave of threats to the popular software, according to security experts who have studied the malware.

Adobe late yesterday confirmed that two "critical" newly discovered flaws -- CVE-2013-0640, CVE-2013-0641 -- in Adobe Reader and Acrobat XI (11.0.01 and earlier), Acrobat X (10.1.5 and earlier), and Acrobat 9.5.3 and earlier for both Windows and Macintosh could let an attacker wrest control of the victim's machine after crashing the application. The attacks send users an email with a rigged PDF file, bypass the sandbox feature in Adobe Reader 10, and bypass the Protected Mode sandbox in Reader XI.

The software vendor is working on an emergency fix; in the meantime, it recommends that users enable the Protected View setting in Adobe Reader XI and Acrobat XI for Windows.

Security vendor F-Secure recommends also selecting "All files" under Protected View, rather than the "Files from potentially unsafe locations" option suggested by Adobe.

[UPDATE/Clarification, 02/15/13]:
It may not be the first time Adobe's sandbox feature has been beaten in an exploit, however, notes Zheng Bu, senior director of research for FireEye, which first spotted the zero-day attack in the wild and contacted Adobe. "We had seen a [sandbox] bypass late last year," he says, referring to a report that Group-IB claims to have bypassed the sandbox.

Adobe says there is no evidence of the previous sandbox bypass attack, despite its efforts to get a proof-of-concept from Group-IB.

Bu says the new attack is advanced. "This is a very sophisticated attack. It ... bypasses ASLR [Address Space Layout Randomization] and Adobe sandbox. These technologies were introduced to the system level and the application level to make exploitation harder; they have been quite effective for a while," Bu says. But security researchers have demonstrated that these techniques can be beaten, he says.

"We are starting to see this bypassing ASLR has been readily used [like with] this zero-day exploit," he says. "The threat landscape is changing, and we really need new technologies. I would say Adobe needs to continue to innovate and better protect its customers."

The attack so far has been in the form of an email with a malicious PDF file attachment named "visa.form.turkey.PDF," which looks a lot like an authentic Turkey visa application, Bu says.

Once the victim opens the file, three binaries are dropped: a loader, a command and control module, and another binary that downloads additional malware. "This is a malware suite -- with many binaries in the payloads," he says, adding that the malware was created on Feb. 4.

FireEye's Bu declined to speculate on who might be behind the latest Adobe zero-day attack.

[Successes by Adobe, Google, and Apple to reduce privileges through sandboxing has reduced exploits in their software, but the technique is far from perfect. See The Pros And Cons Of Application Sandboxing.]

Other researchers have tested samples of the malicious PDF. Chaouki Bekrar, CEO and head of research at VUPEN, says the first bug allows the code execution inside the sandbox, and then second bug is exploited to escape the sandbox and execute the final payload. "After installing the Trojan, the exploit displays a fake PDF, which is a Visa form for a specific country," Bekrar says.

"This is the first seen-in-the-wild exploit combining multiple zero-day vulnerabilities to bypass ASLR and the sandbox," Bekrar says, and "it's a typical offensive exploit used by law enforcement agencies to track and infect criminals' computers and investigate their illegal activities."

Bekrar says the authors of the exploit appear to be very skilled, and writing and testing "this reliable code" likely took some time, he says.

He says while Adobe and Google have the most "robust" sandboxes, that doesn't mean they can't be cheated by attackers with enough resources and time.

Other experts concur that sophisticated attackers are indeed finding ways around the newest security controls in Adobe and other apps to sneak in and stay under the radar. "The use of evasive code is becoming a regular occurrence for malware writers, and it is important for organizations to closely examine their current network security measures to ensure they discover these threats before it causes costly damage and theft," says Dr. Giovanni Vigna, founder and CTO of Lastline and director of the Cybersecurity Center at UC Santa Barbara.

It's been a rough week for Adobe: It had just issued security updates for Flash Player, Shockwave Player, and AIR on Tuesday.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-1421
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Craig Knudsen WebCalendar before 1.2.5, 1.2.6, and other versions before 1.2.7 allows remote attackers to inject arbitrary web script or HTML via the Category Name field to category.php.

CVE-2013-2105
Published: 2014-04-22
The Show In Browser (show_in_browser) gem 0.0.3 for Ruby allows local users to inject arbitrary web script or HTML via a symlink attack on /tmp/browser.html.

CVE-2013-2187
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Apache Archiva 1.2 through 1.2.2 and 1.3 before 1.3.8 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters, related to the home page.

CVE-2013-4116
Published: 2014-04-22
lib/npm.js in Node Packaged Modules (npm) before 1.3.3 allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names that are created when unpacking archives.

CVE-2013-4472
Published: 2014-04-22
The openTempFile function in goo/gfile.cc in Xpdf and Poppler 0.24.3 and earlier, when running on a system other than Unix, allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names.

Best of the Web