Risk
2/14/2013
09:01 AM
50%
50%

Adobe Zero-Day Attack Bypasses Sandbox

Adobe fumbles on the security front by not enabling -- by default -- technology built into its PDF Reader and Acrobat that would have blocked the current attacks.

The in-the-wild exploits being launched against the latest versions of Adobe Reader and Adobe Acrobat applications are the first known attacks that can bypass the sandbox that Adobe built into the software.

The sandbox technology, added to Reader more than two years ago, was designed to ensure that even if attackers exploited a bug in Adobe's software, they wouldn't be able to gain access to the rest of the PC. That defense has now been defeated.

The zero-day attacks against Reader and Acrobat, which target two previously unknown vulnerabilities, were first publicly disclosed by security firm FireEye on Tuesday. Adobe confirmed the same day that it had already begun to investigate the attacks, which use malicious PDFs that are emailed to targets, as well as the bugs they exploit.

"These vulnerabilities could cause the application to crash and potentially allow an attacker to take control of the affected system," according to an Adobe security advisory issued Wednesday.

[ Hackers' business model seems to be the same as everyone else's. See Cybercrime 2.0: It's All About The Money. ]

Interestingly, the latest version of Adobe's software -- Reader XI and Acrobat XI -- for Windows does have a built-in defense, called Protected View, that blocks the current zero-day attacks. Unfortunately, the feature isn't enabled by default. In addition, no such feature is present in version 11 of Reader or Acrobat for Mac OS X, which is vulnerable to the attacks. Similarly, versions 9 and 10 of the Adobe Reader and Adobe Acrobat, for both Windows and Mac OS X, lack the feature, and are also vulnerable to the attacks.

An Adobe spokesperson said a less-restrictive feature, Protective Mode, is enabled by default, but Protected View is not enabled by default in Reader XI and Acrobat XI for Windows. That apparent mistake is drawing criticism from security experts. Eugene Kasperksy, CEO of Kaspersky Lab, likened the deactivated-by-default security feature to "car airbags that work only if owners flip a switch."

The Protected View defense came to light Wednesday, when Adobe detailed mitigation techniques for the zero-day attacks. "Users of Adobe Reader XI and Acrobat XI for Windows can protect themselves from this exploit by enabling Protected View," according to a security bulletin released by Adobe. "To enable this setting, choose the 'Files from potentially unsafe locations' option under the Edit > Preferences > Security (Enhanced) menu." Similarly, enterprise administrators can activate Protected View via a registry tweak, then using Microsoft's Group Policy to distribute the setting.

Windows users running older versions of Reader or Acrobat could upgrade to the latest version to mitigate the vulnerabilities. Meanwhile, another mitigation technique would be to avoid using Adobe Reader and Acrobat, and read or edit PDF files using an alternate application, such as the Preview application built into Mac OS X, or standalone applications from Foxit and Solid Documents, which respectively offer PDF conversion and editing software for Windows and Mac. As noted by Ars Technica, while this software likely also contains exploitable bugs, attackers don't seem to currently be targeting them.

To date, FireEye and Adobe have declined to release the exploit code being used by attackers, but FireEye Wednesday did offer some additional details about the attack, noting that the malicious PDF files have been weaponized with JavaScript. "The JavaScript embedded in the crafted PDF is highly obfuscated using string manipulation techniques," according to a blog post by FireEye researchers. "Most of the variables in the JavaScript are in Italian. The JavaScript has version checks for various versions of Adobe Reader ... and it creates the appropriate shellcode based on the version found."

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-2808
Published: 2015-04-01
The PRNG implementation in the DNS resolver in Bionic in Android before 4.1.1 incorrectly uses time and PID information during the generation of random numbers for query ID values and UDP source ports, which makes it easier for remote attackers to spoof DNS responses by guessing these numbers, a rel...

CVE-2014-9713
Published: 2015-04-01
The default slapd configuration in the Debian openldap package 2.4.23-3 through 2.4.39-1.1 allows remote authenticated users to modify the user's permissions and other user attributes via unspecified vectors.

CVE-2015-0259
Published: 2015-04-01
OpenStack Compute (Nova) before 2014.1.4, 2014.2.x before 2014.2.3, and kilo before kilo-3 does not validate the origin of websocket requests, which allows remote attackers to hijack the authentication of users for access to consoles via a crafted webpage.

CVE-2015-0800
Published: 2015-04-01
The PRNG implementation in the DNS resolver in Mozilla Firefox (aka Fennec) before 37.0 on Android does not properly generate random numbers for query ID values and UDP source ports, which makes it easier for remote attackers to spoof DNS responses by guessing these numbers, a related issue to CVE-2...

CVE-2015-0801
Published: 2015-04-01
Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 allow remote attackers to bypass the Same Origin Policy and execute arbitrary JavaScript code with chrome privileges via vectors involving anchor navigation, a similar issue to CVE-2015-0818.

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.