Risk
2/14/2013
09:01 AM
50%
50%

Adobe Zero-Day Attack Bypasses Sandbox

Adobe fumbles on the security front by not enabling -- by default -- technology built into its PDF Reader and Acrobat that would have blocked the current attacks.

The in-the-wild exploits being launched against the latest versions of Adobe Reader and Adobe Acrobat applications are the first known attacks that can bypass the sandbox that Adobe built into the software.

The sandbox technology, added to Reader more than two years ago, was designed to ensure that even if attackers exploited a bug in Adobe's software, they wouldn't be able to gain access to the rest of the PC. That defense has now been defeated.

The zero-day attacks against Reader and Acrobat, which target two previously unknown vulnerabilities, were first publicly disclosed by security firm FireEye on Tuesday. Adobe confirmed the same day that it had already begun to investigate the attacks, which use malicious PDFs that are emailed to targets, as well as the bugs they exploit.

"These vulnerabilities could cause the application to crash and potentially allow an attacker to take control of the affected system," according to an Adobe security advisory issued Wednesday.

[ Hackers' business model seems to be the same as everyone else's. See Cybercrime 2.0: It's All About The Money. ]

Interestingly, the latest version of Adobe's software -- Reader XI and Acrobat XI -- for Windows does have a built-in defense, called Protected View, that blocks the current zero-day attacks. Unfortunately, the feature isn't enabled by default. In addition, no such feature is present in version 11 of Reader or Acrobat for Mac OS X, which is vulnerable to the attacks. Similarly, versions 9 and 10 of the Adobe Reader and Adobe Acrobat, for both Windows and Mac OS X, lack the feature, and are also vulnerable to the attacks.

An Adobe spokesperson said a less-restrictive feature, Protective Mode, is enabled by default, but Protected View is not enabled by default in Reader XI and Acrobat XI for Windows. That apparent mistake is drawing criticism from security experts. Eugene Kasperksy, CEO of Kaspersky Lab, likened the deactivated-by-default security feature to "car airbags that work only if owners flip a switch."

The Protected View defense came to light Wednesday, when Adobe detailed mitigation techniques for the zero-day attacks. "Users of Adobe Reader XI and Acrobat XI for Windows can protect themselves from this exploit by enabling Protected View," according to a security bulletin released by Adobe. "To enable this setting, choose the 'Files from potentially unsafe locations' option under the Edit > Preferences > Security (Enhanced) menu." Similarly, enterprise administrators can activate Protected View via a registry tweak, then using Microsoft's Group Policy to distribute the setting.

Windows users running older versions of Reader or Acrobat could upgrade to the latest version to mitigate the vulnerabilities. Meanwhile, another mitigation technique would be to avoid using Adobe Reader and Acrobat, and read or edit PDF files using an alternate application, such as the Preview application built into Mac OS X, or standalone applications from Foxit and Solid Documents, which respectively offer PDF conversion and editing software for Windows and Mac. As noted by Ars Technica, while this software likely also contains exploitable bugs, attackers don't seem to currently be targeting them.

To date, FireEye and Adobe have declined to release the exploit code being used by attackers, but FireEye Wednesday did offer some additional details about the attack, noting that the malicious PDF files have been weaponized with JavaScript. "The JavaScript embedded in the crafted PDF is highly obfuscated using string manipulation techniques," according to a blog post by FireEye researchers. "Most of the variables in the JavaScript are in Italian. The JavaScript has version checks for various versions of Adobe Reader ... and it creates the appropriate shellcode based on the version found."

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Social engineering, ransomware, and other sophisticated exploits are leading to new IT security compromises every day. Dark Reading's 2016 Strategic Security Survey polled 300 IT and security professionals to get information on breach incidents, the fallout they caused, and how recent events are shaping preparations for inevitable attacks in the coming year. Download this report to get a look at data from the survey and to find out what a breach might mean for your organization.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Security researchers are finding that there's a growing market for the vulnerabilities they discover and persistent conundrum as to the right way to disclose them. Dark Reading editors will speak to experts -- Veracode CTO and co-founder Chris Wysopal and HackerOne co-founder and CTO Alex Rice -- about bug bounties and the expanding market for zero-day security vulnerabilities.