Risk
2/14/2013
09:01 AM
50%
50%

Adobe Zero-Day Attack Bypasses Sandbox

Adobe fumbles on the security front by not enabling -- by default -- technology built into its PDF Reader and Acrobat that would have blocked the current attacks.

The in-the-wild exploits being launched against the latest versions of Adobe Reader and Adobe Acrobat applications are the first known attacks that can bypass the sandbox that Adobe built into the software.

The sandbox technology, added to Reader more than two years ago, was designed to ensure that even if attackers exploited a bug in Adobe's software, they wouldn't be able to gain access to the rest of the PC. That defense has now been defeated.

The zero-day attacks against Reader and Acrobat, which target two previously unknown vulnerabilities, were first publicly disclosed by security firm FireEye on Tuesday. Adobe confirmed the same day that it had already begun to investigate the attacks, which use malicious PDFs that are emailed to targets, as well as the bugs they exploit.

"These vulnerabilities could cause the application to crash and potentially allow an attacker to take control of the affected system," according to an Adobe security advisory issued Wednesday.

[ Hackers' business model seems to be the same as everyone else's. See Cybercrime 2.0: It's All About The Money. ]

Interestingly, the latest version of Adobe's software -- Reader XI and Acrobat XI -- for Windows does have a built-in defense, called Protected View, that blocks the current zero-day attacks. Unfortunately, the feature isn't enabled by default. In addition, no such feature is present in version 11 of Reader or Acrobat for Mac OS X, which is vulnerable to the attacks. Similarly, versions 9 and 10 of the Adobe Reader and Adobe Acrobat, for both Windows and Mac OS X, lack the feature, and are also vulnerable to the attacks.

An Adobe spokesperson said a less-restrictive feature, Protective Mode, is enabled by default, but Protected View is not enabled by default in Reader XI and Acrobat XI for Windows. That apparent mistake is drawing criticism from security experts. Eugene Kasperksy, CEO of Kaspersky Lab, likened the deactivated-by-default security feature to "car airbags that work only if owners flip a switch."

The Protected View defense came to light Wednesday, when Adobe detailed mitigation techniques for the zero-day attacks. "Users of Adobe Reader XI and Acrobat XI for Windows can protect themselves from this exploit by enabling Protected View," according to a security bulletin released by Adobe. "To enable this setting, choose the 'Files from potentially unsafe locations' option under the Edit > Preferences > Security (Enhanced) menu." Similarly, enterprise administrators can activate Protected View via a registry tweak, then using Microsoft's Group Policy to distribute the setting.

Windows users running older versions of Reader or Acrobat could upgrade to the latest version to mitigate the vulnerabilities. Meanwhile, another mitigation technique would be to avoid using Adobe Reader and Acrobat, and read or edit PDF files using an alternate application, such as the Preview application built into Mac OS X, or standalone applications from Foxit and Solid Documents, which respectively offer PDF conversion and editing software for Windows and Mac. As noted by Ars Technica, while this software likely also contains exploitable bugs, attackers don't seem to currently be targeting them.

To date, FireEye and Adobe have declined to release the exploit code being used by attackers, but FireEye Wednesday did offer some additional details about the attack, noting that the malicious PDF files have been weaponized with JavaScript. "The JavaScript embedded in the crafted PDF is highly obfuscated using string manipulation techniques," according to a blog post by FireEye researchers. "Most of the variables in the JavaScript are in Italian. The JavaScript has version checks for various versions of Adobe Reader ... and it creates the appropriate shellcode based on the version found."

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2188
Published: 2015-02-26
The Authentication Proxy feature in Cisco IOS does not properly handle invalid AAA return codes from RADIUS and TACACS+ servers, which allows remote attackers to bypass authentication in opportunistic circumstances via a connection attempt that triggers an invalid code, as demonstrated by a connecti...

CVE-2015-0594
Published: 2015-02-26
Multiple cross-site scripting (XSS) vulnerabilities in the help pages in Cisco Common Services, as used in Cisco Prime LAN Management Solution (LMS) and Cisco Security Manager, allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug IDs CSCuq54654 and CSCun1...

CVE-2015-0632
Published: 2015-02-26
Race condition in the Neighbor Discovery (ND) protocol implementation in Cisco IOS and IOS XE allows remote attackers to cause a denial of service via a flood of Router Solicitation messages on the local network, aka Bug ID CSCuo67770.

CVE-2015-0651
Published: 2015-02-26
Cross-site request forgery (CSRF) vulnerability in the web GUI in Cisco Application Networking Manager (ANM), and Device Manager (DM) on Cisco 4710 Application Control Engine (ACE) appliances, allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCuo99753.

CVE-2015-0882
Published: 2015-02-26
Multiple cross-site scripting (XSS) vulnerabilities in zencart-ja (aka Zen Cart Japanese edition) 1.3 jp through 1.3.0.2 jp8 and 1.5 ja through 1.5.1 ja allow remote attackers to inject arbitrary web script or HTML via a crafted parameter, related to admin/includes/init_includes/init_sanitize.php an...

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.