06:45 AM
Connect Directly

New Zero-Day Attacks Cheat Key Security Features In Adobe Reader, Acrobat

Use Protected Mode until patch is available for sophisticated attacks, Adobe says

This article was updated on 2/15/13 with more information on reports of a previous sandbox bypass

Attacks are under way exploiting the newest versions of Adobe's PDF sandbox and other protections -- sure signs that sophisticated, well-funded attackers are likely behind this latest wave of threats to the popular software, according to security experts who have studied the malware.

Adobe late yesterday confirmed that two "critical" newly discovered flaws -- CVE-2013-0640, CVE-2013-0641 -- in Adobe Reader and Acrobat XI (11.0.01 and earlier), Acrobat X (10.1.5 and earlier), and Acrobat 9.5.3 and earlier for both Windows and Macintosh could let an attacker wrest control of the victim's machine after crashing the application. The attacks send users an email with a rigged PDF file, bypass the sandbox feature in Adobe Reader 10, and bypass the Protected Mode sandbox in Reader XI.

The software vendor is working on an emergency fix; in the meantime, it recommends that users enable the Protected View setting in Adobe Reader XI and Acrobat XI for Windows.

Security vendor F-Secure recommends also selecting "All files" under Protected View, rather than the "Files from potentially unsafe locations" option suggested by Adobe.

[UPDATE/Clarification, 02/15/13]:
It may not be the first time Adobe's sandbox feature has been beaten in an exploit, however, notes Zheng Bu, senior director of research for FireEye, which first spotted the zero-day attack in the wild and contacted Adobe. "We had seen a [sandbox] bypass late last year," he says, referring to a report that Group-IB claims to have bypassed the sandbox.

Adobe says there is no evidence of the previous sandbox bypass attack, despite its efforts to get a proof-of-concept from Group-IB.

Bu says the new attack is advanced. "This is a very sophisticated attack. It ... bypasses ASLR [Address Space Layout Randomization] and Adobe sandbox. These technologies were introduced to the system level and the application level to make exploitation harder; they have been quite effective for a while," Bu says. But security researchers have demonstrated that these techniques can be beaten, he says.

"We are starting to see this bypassing ASLR has been readily used [like with] this zero-day exploit," he says. "The threat landscape is changing, and we really need new technologies. I would say Adobe needs to continue to innovate and better protect its customers."

The attack so far has been in the form of an email with a malicious PDF file attachment named "visa.form.turkey.PDF," which looks a lot like an authentic Turkey visa application, Bu says.

Once the victim opens the file, three binaries are dropped: a loader, a command and control module, and another binary that downloads additional malware. "This is a malware suite -- with many binaries in the payloads," he says, adding that the malware was created on Feb. 4.

FireEye's Bu declined to speculate on who might be behind the latest Adobe zero-day attack.

[Successes by Adobe, Google, and Apple to reduce privileges through sandboxing has reduced exploits in their software, but the technique is far from perfect. See The Pros And Cons Of Application Sandboxing.]

Other researchers have tested samples of the malicious PDF. Chaouki Bekrar, CEO and head of research at VUPEN, says the first bug allows the code execution inside the sandbox, and then second bug is exploited to escape the sandbox and execute the final payload. "After installing the Trojan, the exploit displays a fake PDF, which is a Visa form for a specific country," Bekrar says.

"This is the first seen-in-the-wild exploit combining multiple zero-day vulnerabilities to bypass ASLR and the sandbox," Bekrar says, and "it's a typical offensive exploit used by law enforcement agencies to track and infect criminals' computers and investigate their illegal activities."

Bekrar says the authors of the exploit appear to be very skilled, and writing and testing "this reliable code" likely took some time, he says.

He says while Adobe and Google have the most "robust" sandboxes, that doesn't mean they can't be cheated by attackers with enough resources and time.

Other experts concur that sophisticated attackers are indeed finding ways around the newest security controls in Adobe and other apps to sneak in and stay under the radar. "The use of evasive code is becoming a regular occurrence for malware writers, and it is important for organizations to closely examine their current network security measures to ensure they discover these threats before it causes costly damage and theft," says Dr. Giovanni Vigna, founder and CTO of Lastline and director of the Cybersecurity Center at UC Santa Barbara.

It's been a rough week for Adobe: It had just issued security updates for Flash Player, Shockwave Player, and AIR on Tuesday.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-02-27
The seg_write_packet function in libavformat/segment.c in ffmpeg 2.1.4 and earlier does not free the correct memory location, which allows remote attackers to cause a denial of service ("invalid memory handler") and possibly execute arbitrary code via a crafted video that triggers a use after free.

Published: 2015-02-27
The dns-sync module before 0.1.1 for node.js allows context-dependent attackers to execute arbitrary commands via shell metacharacters in the first argument to the resolve API function.

Published: 2015-02-27
Cross-site scripting (XSS) vulnerability in Unified Web Interaction Manager in Cisco Unified Web and E-Mail Interaction Manager allows remote attackers to inject arbitrary web script or HTML via vectors related to a POST request, aka Bug ID CSCus74184.

Published: 2015-02-27
Unquoted Windows search path vulnerability in Toshiba Bluetooth Stack for Windows before 9.10.32(T) and Service Station before 2.2.14 allows local users to gain privileges via a Trojan horse application with a name composed of an initial substring of a path that contains a space character.

Published: 2015-02-27
checkpw 1.02 and earlier allows remote attackers to cause a denial of service (infinite loop) via a -- (dash dash) in a username.

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.