Vulnerabilities / Threats
2/13/2013
10:13 AM
50%
50%

Adobe Reader, Acrobat Under Attack

Cue the security fatigue: Zero-day attacks target Adobe Reader and Acrobat, Adobe pushes second Flash patch, Microsoft fixes 57 flaws.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
Zero-day vulnerabilities in the most recent versions of Adobe Reader and Acrobat are being actively exploited by attackers, who are emailing malicious PDFs to targets to remotely compromise their PCs.

That warning comes from researchers at security firm FireEye, which said it's provided copies of the exploit code to Adobe. "A PDF zero-day is being exploited in the wild, and we observed successful exploitation on the latest Adobe PDF Reader 9.5.3, 10.1.5, and 11.0.1," according to a security warning posted Tuesday by FireEye. "Upon successful exploitation, it will drop two DLLs. The first DLL shows a fake error message and opens a decoy PDF document, which is usually common in targeted attacks. The second DLL in turn drops the callback component, which talks to a remote domain."

Adobe said it's investigating the alleged zero-day bugs. "Adobe is aware of a report of a vulnerability in Adobe Reader and Acrobat XI (11.0.1) and earlier versions being exploited in the wild," according to a brief Adobe vulnerability report released Tuesday. "We are currently investigating this report and assessing the risk to our customers. We will provide an update as soon as we have more information."

[ Can the government help with cybersecurity? Read White House Cybersecurity Executive Order: What It Means. ]

No additional details about the zero-day vulnerabilities have been publicly released, and it's not clear if the bugs allow attackers to bypass the sandbox built into Reader and Acrobat. But until the vulnerability gets patched, FireEye recommended that users avoid opening any PDF files of unknown origin.

Adobe Tuesday also patched known Flash Player vulnerabilities in Shockwave Player, Flash Player, and Adobe AIR, by releasing updates for Windows, Mac OS X, Linux and Android. That marked the second time in less than a week that Adobe, which normally only releases quarterly patch updates, released "out of band" patches to mitigate in-the-wild exploits of bugs in its products. In addition, Oracle still plans to release further patches on February 19.

In other words, 2013 is already turning out to be a banner year for bug spotting. For starters, new flaws recently surfaced not just in Flash and Adobe Reader and Acrobat, but also Internet Explorer and Java.

Microsoft Tuesday patched 57 vulnerabilities in its products, as part of its regularly scheduled, monthly patch release, and many of the bugs have been labeled as critical. "[The] critical vulnerabilities all potentially enable remote code execution, as does the SharePoint server related bulletin rated 'important' this month," said Kurt Baumgartner, a senior security researcher at Kaspersky Lab, in a blog post. "The other vulnerabilities enable elevation of privilege and denial of service attacks. Several of the vulnerabilities have been publicly disclosed, and at least one is known to be publicly exploited."

Many security experts are advising security managers to prioritize the Internet Explorer patch, which fixes 13 vulnerabilities -- privately reported to Microsoft and not yet detailed publicly -- which attackers could use to remotely exploit code on vulnerable machines. "Despite the bugs being privately disclosed, Microsoft is warning that exploitation in the wild is imminent," said Paul Ducklin, head of technology for Sophos in the Asia Pacific region, in a blog post. Indeed, expect attackers to be working overtime to reverse-engineer the patches, which would allow them to craft attacks that exploit Windows PCs that haven't been patched.

One critical Microsoft patch addresses flaws in the Windows media codec, which could be exploited by crafting a malicious media file. Another fix targets vulnerabilities in the RTF file format that could be exploited by crafting a malicious RTF file, which if opened in Microsoft Word or WordPad would allow an attacker to compromise the PC. "Microsoft warns that this is likely to be exploited in the wild within 30 days," said Ducklin.

While those vulnerabilities affect clients, another critical vulnerability exists on Microsoft Exchange servers with Oracle's Outside In technology. The vulnerabilities could be exploited by attackers to remotely compromise the server or create a denial of service.

Security researchers have also published further details of the bugs that were patched last week in Adobe's Flash Player. According to a blog post from Kaspersky Lab researchers Sergey Golovanov and Alexander Polyakov, the vulnerabilities (designated CVE-2013-0633) are being actively exploited by "so-called 'legal' surveillance malware created by the Italian company HackingTeam." The Italian company's surveillance software is called RCS (Remote Control System), aka DaVinci, and has been used "against human rights activists and political dissidents from Africa, South America and the Middle East," according to the researchers.

The Kaspersky Lab researchers said they cataloged six different ways that RCS has been installed on targets' computers, and four of them employ zero-day vulnerabilities. "Interestingly ... two of the 0-days appear to have been created by the French offensive security company Vupen," said the researchers. "The link was also previously pointed out by Citizen Lab's report, which says it's unclear if the exploits used with HackingTeam's malware have been purchased from Vupen, or just engineered in parallel."

Chaouki Bekrar, CEO and head of research for Vupen, dismissed as "defamatory allegations and unproven claims" the Kaspersky Lab suggestion that his company may have sold the zero-day vulnerabilities to HackingTeam. "We did not develop nor sell any of these exploits," Bekrar said via email. "In the vulnerability research field, it often happens that many unlinked researchers, groups or companies work on similar flaws or exploits without knowledge of the others, we call this vulnerability overlaps and it's very common and usual."

Note: Story updated to correct error in number of flaws fixed.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
kjhiggins
50%
50%
kjhiggins,
User Rank: Strategist
2/13/2013 | 7:47:26 PM
re: Adobe Reader, Acrobat Under Attack
It will be interesting to see if there's a sandbox bypass here in this new exploit.

Kelly Jackson Higgins, Senior Editor, Dark Reading
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3971
Published: 2014-12-25
The CmdAuthenticate::_authenticateX509 function in db/commands/authentication_commands.cpp in mongod in MongoDB 2.6.x before 2.6.2 allows remote attackers to cause a denial of service (daemon crash) by attempting authentication with an invalid X.509 client certificate.

CVE-2014-7193
Published: 2014-12-25
The Crumb plugin before 3.0.0 for Node.js does not properly restrict token access in situations where a hapi route handler has CORS enabled, which allows remote attackers to obtain sensitive information, and potentially obtain the ability to spoof requests to non-CORS routes, via a crafted web site ...

CVE-2004-2771
Published: 2014-12-24
The expand function in fio.c in Heirloom mailx 12.5 and earlier and BSD mailx 8.1.2 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in an email address.

CVE-2014-3569
Published: 2014-12-24
The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1j does not properly handle attempts to use unsupported protocols, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an unexpected handshake, as demonstrated by an SSLv3 handshak...

CVE-2014-4322
Published: 2014-12-24
drivers/misc/qseecom.c in the QSEECOM driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not validate certain offset, length, and base values within an ioctl call, which allows attackers to gain privileges or c...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.