Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:13 PM
Connect Directly

Adobe Reader, Acrobat Under Zero-Day Attack

New exploit in the wild capitalizes on flaw in JavaScript function, patch to come January 12

Adobe's Reader and Acrobat PDF applications have been hit by a new attack exploiting an unpatched vulnerability in the pervasive tools. So far the exploit has been used mostly in targeted attacks, but researchers say it could soon spread now that the cat is out of the bag.

Adobe late yesterday issued a brief update about the as-yet undisclosed vulnerability in Acrobat Reader and Acrobat 9.2 and previous versions that's being exploited in the wild. The vendor says it will issue a patch on January 12 in conjunction with its quarterly update schedule. "This vulnerability (CVE-2009-4324) could cause a crash and potentially allow an attacker to take control of the affected system," Adobe says.

So far, Adobe and security researchers around the industry have been tight-lipped on details about the newly discovered vulnerability involved, but ShadowServer today said in its blog that the flaw resides in a JavaScript function in Acrobat and Reader. The trick is that the vulnerable JavaScript is hidden inside a "zlib stream," which makes it difficult for security scanners to detect it, ShadowServer says. The flaw is found in 8.x and 9.x versions of the software, according to ShadowServer, and researchers are currently testing earlier versions for the bug as well.

Ben Greenbaum, senior research manager for Symantec Security Response, says the exploit similar to previous ones for Reader and Acrobat as well as for other client-side attacks. "This is the preferred method of attack for criminals the past couple of years. They will discover vulnerabilities in the software that runs on the end user machine" for processing remote content, he says. "It's used to install some kind of malware that logs keystrokes and records financial transactions, [for example] and sends that information back to the attacker."

And like similar attacks, this one also recruits the victim to its botnet so that it can issue updates of its malware to the machine.

It works like this: the user is sent a socially engineered email with a PDF attachment. When the victim opens the malicious PDF, his machine is pushed a Trojan that then installs the Infostealer family of malware that logs keystrokes, captures screenshots, and sends that information to its controller, Greenbaum says. Symantec has christened the Trojan as Trojan.Pidief.H.

So far, the exploit has been hitting a small number of victims and it appears to be targeted, researchers say. "But it could very easily be added to toolkits. At that point, exploitation would become more widespread," Greenbaum says. So far, it arrives with an urgent email message, some of which is in broken English, indicating the attack comes from a location where English isn't the primary language, he says.

So far, only a handful of antivirus products can detect the exploit, including McAfee's GW Edition, eSafe, NOD32, Symantec, and Kaspersky Lab.

Meanwhile, the best way to protect against an attack from this new exploit is to disable JavaScript in the Adobe PDF app.

That may sound simple, but trouble is, users are inclined to enable JavaScript to get the full functionality of many Websites that rely on it. "The vast majority of people have JavaScript enabled," Greenbaum says. "Even those who disable it will re-enable it after the patch is out."

Even once this zero-day gets patched, don't expect the bad guys to give up on Adobe apps. The wildly popular Acrobat Reader is found on most users' machines. "Attackers typically go after software packages that are deployed most widely. It's a business decision to get a better return on their investment," Greenbaum says. "That's part of the reason for the repeated targeting of Adobe product ... everyone has it on their computer, so you're going to have the broadest possible audience."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Major Brazilian Bank Tests Homomorphic Encryption on Financial Data
Kelly Sheridan, Staff Editor, Dark Reading,  1/10/2020
Will This Be the Year of the Branded Cybercriminal?
Raveed Laeb, Product Manager at KELA,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-17
The docker-kubic package in SUSE CaaS Platform 3.0 before 17.09.1_ce-7.6.1 provided access to an insecure API locally on the Kubernetes master node.
PUBLISHED: 2020-01-17
In SaltStack Salt through 2019.2.0, the salt-api NEST API with the ssh client enabled is vulnerable to command injection. This allows an unauthenticated attacker with network access to the API endpoint to execute arbitrary code on the salt-api host.
PUBLISHED: 2020-01-17
Intelbras WRN240 devices do not require authentication to replace the firmware via a POST request to the incoming/Firmware.cfg URI.
PUBLISHED: 2020-01-17
In Gallagher Command Centre Server versions of v8.10 prior to v8.10.1134(MR4), v8.00 prior to v8.00.1161(MR5), v7.90 prior to v7.90.991(MR5), v7.80 prior to v7.80.960(MR2) and v7.70 or earlier, an unprivileged but authenticated user is able to perform a backup of the Command Centre databases.
PUBLISHED: 2020-01-17
In Gallagher Command Centre Server v8.10 prior to v8.10.1134(MR4), v8.00 prior to v8.00.1161(MR5), v7.90 prior to v7.90.991(MR5), v7.80 prior to v7.80.960(MR2) and v7.70 or earlier, an authenticated user connecting to OPCUA can view all data that would be replicated in a multi-server setup without p...