New exploit in the wild capitalizes on flaw in JavaScript function, patch to come January 12

Adobe's Reader and Acrobat PDF applications have been hit by a new attack exploiting an unpatched vulnerability in the pervasive tools. So far the exploit has been used mostly in targeted attacks, but researchers say it could soon spread now that the cat is out of the bag.

Adobe late yesterday issued a brief update about the as-yet undisclosed vulnerability in Acrobat Reader and Acrobat 9.2 and previous versions that's being exploited in the wild. The vendor says it will issue a patch on January 12 in conjunction with its quarterly update schedule. "This vulnerability (CVE-2009-4324) could cause a crash and potentially allow an attacker to take control of the affected system," Adobe says.

So far, Adobe and security researchers around the industry have been tight-lipped on details about the newly discovered vulnerability involved, but ShadowServer today said in its blog that the flaw resides in a JavaScript function in Acrobat and Reader. The trick is that the vulnerable JavaScript is hidden inside a "zlib stream," which makes it difficult for security scanners to detect it, ShadowServer says. The flaw is found in 8.x and 9.x versions of the software, according to ShadowServer, and researchers are currently testing earlier versions for the bug as well.

Ben Greenbaum, senior research manager for Symantec Security Response, says the exploit similar to previous ones for Reader and Acrobat as well as for other client-side attacks. "This is the preferred method of attack for criminals the past couple of years. They will discover vulnerabilities in the software that runs on the end user machine" for processing remote content, he says. "It's used to install some kind of malware that logs keystrokes and records financial transactions, [for example] and sends that information back to the attacker."

And like similar attacks, this one also recruits the victim to its botnet so that it can issue updates of its malware to the machine.

It works like this: the user is sent a socially engineered email with a PDF attachment. When the victim opens the malicious PDF, his machine is pushed a Trojan that then installs the Infostealer family of malware that logs keystrokes, captures screenshots, and sends that information to its controller, Greenbaum says. Symantec has christened the Trojan as Trojan.Pidief.H.

So far, the exploit has been hitting a small number of victims and it appears to be targeted, researchers say. "But it could very easily be added to toolkits. At that point, exploitation would become more widespread," Greenbaum says. So far, it arrives with an urgent email message, some of which is in broken English, indicating the attack comes from a location where English isn't the primary language, he says.

So far, only a handful of antivirus products can detect the exploit, including McAfee's GW Edition, eSafe, NOD32, Symantec, and Kaspersky Lab.

Meanwhile, the best way to protect against an attack from this new exploit is to disable JavaScript in the Adobe PDF app.

That may sound simple, but trouble is, users are inclined to enable JavaScript to get the full functionality of many Websites that rely on it. "The vast majority of people have JavaScript enabled," Greenbaum says. "Even those who disable it will re-enable it after the patch is out."

Even once this zero-day gets patched, don't expect the bad guys to give up on Adobe apps. The wildly popular Acrobat Reader is found on most users' machines. "Attackers typically go after software packages that are deployed most widely. It's a business decision to get a better return on their investment," Greenbaum says. "That's part of the reason for the repeated targeting of Adobe product ... everyone has it on their computer, so you're going to have the broadest possible audience."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights