Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:45 AM
Connect Directly

New Zero-Day Attacks Cheat Key Security Features In Adobe Reader, Acrobat

Use Protected Mode until patch is available for sophisticated attacks, Adobe says

This article was updated on 2/15/13 with more information on reports of a previous sandbox bypass

Attacks are under way exploiting the newest versions of Adobe's PDF sandbox and other protections -- sure signs that sophisticated, well-funded attackers are likely behind this latest wave of threats to the popular software, according to security experts who have studied the malware.

Adobe late yesterday confirmed that two "critical" newly discovered flaws -- CVE-2013-0640, CVE-2013-0641 -- in Adobe Reader and Acrobat XI (11.0.01 and earlier), Acrobat X (10.1.5 and earlier), and Acrobat 9.5.3 and earlier for both Windows and Macintosh could let an attacker wrest control of the victim's machine after crashing the application. The attacks send users an email with a rigged PDF file, bypass the sandbox feature in Adobe Reader 10, and bypass the Protected Mode sandbox in Reader XI.

The software vendor is working on an emergency fix; in the meantime, it recommends that users enable the Protected View setting in Adobe Reader XI and Acrobat XI for Windows.

Security vendor F-Secure recommends also selecting "All files" under Protected View, rather than the "Files from potentially unsafe locations" option suggested by Adobe.

[UPDATE/Clarification, 02/15/13]:
It may not be the first time Adobe's sandbox feature has been beaten in an exploit, however, notes Zheng Bu, senior director of research for FireEye, which first spotted the zero-day attack in the wild and contacted Adobe. "We had seen a [sandbox] bypass late last year," he says, referring to a report that Group-IB claims to have bypassed the sandbox.

Adobe says there is no evidence of the previous sandbox bypass attack, despite its efforts to get a proof-of-concept from Group-IB.

Bu says the new attack is advanced. "This is a very sophisticated attack. It ... bypasses ASLR [Address Space Layout Randomization] and Adobe sandbox. These technologies were introduced to the system level and the application level to make exploitation harder; they have been quite effective for a while," Bu says. But security researchers have demonstrated that these techniques can be beaten, he says.

"We are starting to see this bypassing ASLR has been readily used [like with] this zero-day exploit," he says. "The threat landscape is changing, and we really need new technologies. I would say Adobe needs to continue to innovate and better protect its customers."

The attack so far has been in the form of an email with a malicious PDF file attachment named "visa.form.turkey.PDF," which looks a lot like an authentic Turkey visa application, Bu says.

Once the victim opens the file, three binaries are dropped: a loader, a command and control module, and another binary that downloads additional malware. "This is a malware suite -- with many binaries in the payloads," he says, adding that the malware was created on Feb. 4.

FireEye's Bu declined to speculate on who might be behind the latest Adobe zero-day attack.

[Successes by Adobe, Google, and Apple to reduce privileges through sandboxing has reduced exploits in their software, but the technique is far from perfect. See The Pros And Cons Of Application Sandboxing.]

Other researchers have tested samples of the malicious PDF. Chaouki Bekrar, CEO and head of research at VUPEN, says the first bug allows the code execution inside the sandbox, and then second bug is exploited to escape the sandbox and execute the final payload. "After installing the Trojan, the exploit displays a fake PDF, which is a Visa form for a specific country," Bekrar says.

"This is the first seen-in-the-wild exploit combining multiple zero-day vulnerabilities to bypass ASLR and the sandbox," Bekrar says, and "it's a typical offensive exploit used by law enforcement agencies to track and infect criminals' computers and investigate their illegal activities."

Bekrar says the authors of the exploit appear to be very skilled, and writing and testing "this reliable code" likely took some time, he says.

He says while Adobe and Google have the most "robust" sandboxes, that doesn't mean they can't be cheated by attackers with enough resources and time.

Other experts concur that sophisticated attackers are indeed finding ways around the newest security controls in Adobe and other apps to sneak in and stay under the radar. "The use of evasive code is becoming a regular occurrence for malware writers, and it is important for organizations to closely examine their current network security measures to ensure they discover these threats before it causes costly damage and theft," says Dr. Giovanni Vigna, founder and CTO of Lastline and director of the Cybersecurity Center at UC Santa Barbara.

It's been a rough week for Adobe: It had just issued security updates for Flash Player, Shockwave Player, and AIR on Tuesday.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-11
A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the System Management Interface Web component of Avaya Aura Communication Manager and Avaya Aura Messaging. This vulnerability could allow an unauthenticated remote attacker to perform Web administration actions with the privileged ...
PUBLISHED: 2020-08-11
An issue was discovered in certain configurations of GNOME gnome-shell through 3.36.4. When logging out of an account, the password box from the login dialog reappears with the password still visible. If the user had decided to have the password shown in cleartext at login time, it is then visible f...
PUBLISHED: 2020-08-11
django-celery-results through 1.2.1 stores task results in the database. Among the data it stores are the variables passed into the tasks. The variables may contain sensitive cleartext information that does not belong unencrypted in the database.
PUBLISHED: 2020-08-11
There is a possible out of bounds read due to an incorrect bounds check.Product: AndroidVersions: Android SoCAndroid ID: A-152225183
PUBLISHED: 2020-08-11
The Temi application 1.3.3 through 1.3.7931 for Android has hard-coded credentials.