Risk
2/14/2013
09:01 AM
50%
50%

Adobe Zero-Day Attack Bypasses Sandbox

Adobe fumbles on the security front by not enabling -- by default -- technology built into its PDF Reader and Acrobat that would have blocked the current attacks.

The in-the-wild exploits being launched against the latest versions of Adobe Reader and Adobe Acrobat applications are the first known attacks that can bypass the sandbox that Adobe built into the software.

The sandbox technology, added to Reader more than two years ago, was designed to ensure that even if attackers exploited a bug in Adobe's software, they wouldn't be able to gain access to the rest of the PC. That defense has now been defeated.

The zero-day attacks against Reader and Acrobat, which target two previously unknown vulnerabilities, were first publicly disclosed by security firm FireEye on Tuesday. Adobe confirmed the same day that it had already begun to investigate the attacks, which use malicious PDFs that are emailed to targets, as well as the bugs they exploit.

"These vulnerabilities could cause the application to crash and potentially allow an attacker to take control of the affected system," according to an Adobe security advisory issued Wednesday.

[ Hackers' business model seems to be the same as everyone else's. See Cybercrime 2.0: It's All About The Money. ]

Interestingly, the latest version of Adobe's software -- Reader XI and Acrobat XI -- for Windows does have a built-in defense, called Protected View, that blocks the current zero-day attacks. Unfortunately, the feature isn't enabled by default. In addition, no such feature is present in version 11 of Reader or Acrobat for Mac OS X, which is vulnerable to the attacks. Similarly, versions 9 and 10 of the Adobe Reader and Adobe Acrobat, for both Windows and Mac OS X, lack the feature, and are also vulnerable to the attacks.

An Adobe spokesperson said a less-restrictive feature, Protective Mode, is enabled by default, but Protected View is not enabled by default in Reader XI and Acrobat XI for Windows. That apparent mistake is drawing criticism from security experts. Eugene Kasperksy, CEO of Kaspersky Lab, likened the deactivated-by-default security feature to "car airbags that work only if owners flip a switch."

The Protected View defense came to light Wednesday, when Adobe detailed mitigation techniques for the zero-day attacks. "Users of Adobe Reader XI and Acrobat XI for Windows can protect themselves from this exploit by enabling Protected View," according to a security bulletin released by Adobe. "To enable this setting, choose the 'Files from potentially unsafe locations' option under the Edit > Preferences > Security (Enhanced) menu." Similarly, enterprise administrators can activate Protected View via a registry tweak, then using Microsoft's Group Policy to distribute the setting.

Windows users running older versions of Reader or Acrobat could upgrade to the latest version to mitigate the vulnerabilities. Meanwhile, another mitigation technique would be to avoid using Adobe Reader and Acrobat, and read or edit PDF files using an alternate application, such as the Preview application built into Mac OS X, or standalone applications from Foxit and Solid Documents, which respectively offer PDF conversion and editing software for Windows and Mac. As noted by Ars Technica, while this software likely also contains exploitable bugs, attackers don't seem to currently be targeting them.

To date, FireEye and Adobe have declined to release the exploit code being used by attackers, but FireEye Wednesday did offer some additional details about the attack, noting that the malicious PDF files have been weaponized with JavaScript. "The JavaScript embedded in the crafted PDF is highly obfuscated using string manipulation techniques," according to a blog post by FireEye researchers. "Most of the variables in the JavaScript are in Italian. The JavaScript has version checks for various versions of Adobe Reader ... and it creates the appropriate shellcode based on the version found."

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7402
Published: 2014-12-17
Multiple unspecified vulnerabilities in request.c in c-icap 0.2.x allow remote attackers to cause a denial of service (crash) via a crafted ICAP request.

CVE-2014-5437
Published: 2014-12-17
Multiple cross-site request forgery (CSRF) vulnerabilities in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) enable remote management via a request to remote_management.php,...

CVE-2014-5438
Published: 2014-12-17
Cross-site scripting (XSS) vulnerability in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allows remote authenticated users to inject arbitrary web script or HTML via the computer_name parameter to connected_devices_computers_edit.php.

CVE-2014-7170
Published: 2014-12-17
Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service.

CVE-2014-7285
Published: 2014-12-17
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.