03:13 PM
Connect Directly

Adobe Reader, Acrobat Under Zero-Day Attack

New exploit in the wild capitalizes on flaw in JavaScript function, patch to come January 12

Adobe's Reader and Acrobat PDF applications have been hit by a new attack exploiting an unpatched vulnerability in the pervasive tools. So far the exploit has been used mostly in targeted attacks, but researchers say it could soon spread now that the cat is out of the bag.

Adobe late yesterday issued a brief update about the as-yet undisclosed vulnerability in Acrobat Reader and Acrobat 9.2 and previous versions that's being exploited in the wild. The vendor says it will issue a patch on January 12 in conjunction with its quarterly update schedule. "This vulnerability (CVE-2009-4324) could cause a crash and potentially allow an attacker to take control of the affected system," Adobe says.

So far, Adobe and security researchers around the industry have been tight-lipped on details about the newly discovered vulnerability involved, but ShadowServer today said in its blog that the flaw resides in a JavaScript function in Acrobat and Reader. The trick is that the vulnerable JavaScript is hidden inside a "zlib stream," which makes it difficult for security scanners to detect it, ShadowServer says. The flaw is found in 8.x and 9.x versions of the software, according to ShadowServer, and researchers are currently testing earlier versions for the bug as well.

Ben Greenbaum, senior research manager for Symantec Security Response, says the exploit similar to previous ones for Reader and Acrobat as well as for other client-side attacks. "This is the preferred method of attack for criminals the past couple of years. They will discover vulnerabilities in the software that runs on the end user machine" for processing remote content, he says. "It's used to install some kind of malware that logs keystrokes and records financial transactions, [for example] and sends that information back to the attacker."

And like similar attacks, this one also recruits the victim to its botnet so that it can issue updates of its malware to the machine.

It works like this: the user is sent a socially engineered email with a PDF attachment. When the victim opens the malicious PDF, his machine is pushed a Trojan that then installs the Infostealer family of malware that logs keystrokes, captures screenshots, and sends that information to its controller, Greenbaum says. Symantec has christened the Trojan as Trojan.Pidief.H.

So far, the exploit has been hitting a small number of victims and it appears to be targeted, researchers say. "But it could very easily be added to toolkits. At that point, exploitation would become more widespread," Greenbaum says. So far, it arrives with an urgent email message, some of which is in broken English, indicating the attack comes from a location where English isn't the primary language, he says.

So far, only a handful of antivirus products can detect the exploit, including McAfee's GW Edition, eSafe, NOD32, Symantec, and Kaspersky Lab.

Meanwhile, the best way to protect against an attack from this new exploit is to disable JavaScript in the Adobe PDF app.

That may sound simple, but trouble is, users are inclined to enable JavaScript to get the full functionality of many Websites that rely on it. "The vast majority of people have JavaScript enabled," Greenbaum says. "Even those who disable it will re-enable it after the patch is out."

Even once this zero-day gets patched, don't expect the bad guys to give up on Adobe apps. The wildly popular Acrobat Reader is found on most users' machines. "Attackers typically go after software packages that are deployed most widely. It's a business decision to get a better return on their investment," Greenbaum says. "That's part of the reason for the repeated targeting of Adobe product ... everyone has it on their computer, so you're going to have the broadest possible audience."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.