Thursday, September 9, 2010

Adobe Reader 0-day PDF exploit in the wild

I've seen multiple reports of this, all referring to Adobe Reader 9.3.4 and Adobe Reader 8.2.4 (the latest versions).   I've seen no mention of whether or not this affects Foxit Reader or other PDF readers.  FWIW on my home machine, where I do most of my "surfing", I use Foxit Reader as my default PDF reader and SumatraPDF when opening PDFs directly from web links.

Computer Security Research - McAfee Labs Blog
Just after Adobe released their Out of Band patch for CVE-2010-2862, We discovered a malware exploiting a new 0-day vulnerability in the wild. Similar to the iOS PDF jailbreak vulnerability and CVE-2010-2862, this 0day vulnerability also occurs while Adobe Reader is parsing TrueType Fonts. We’ve analyzed and confirmed that the vulnerability affects the latest Adobe Reader (v9.3.4).
New Adobe PDF zero-day under attack | ZDNet

By Ryan Naraine | September 8, 2010, 10:28am PDT

Adobe today sounded an alarm for a new zero-day flaw in its PDF Reader/Acrobat software, warning that hackers are actively exploiting the vulnerability in-the-wild.

Details on the vulnerability are not yet public but the sudden warning from Adobe is a sure sign that rigged PDF documents are being used by malicious hackers to take complete control of machines with the latest versions of Adobe Reader/Acrobat installed.

Here’s Adobe’s warning:

A critical vulnerability exists in Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh. This vulnerability (CVE-2010-2883) could cause a crash and potentially allow an attacker to take control of the affected system.There are reports that this vulnerability is being actively exploited in the wild.

Adobe is in the process of evaluating the schedule for an update to resolve this vulnerability.

Adobe Acrobat/Reader 0-day in Wild, Adobe Issues Advisory
We just received word that there is a report of a 0-day exploit for Adobe Acrobat/Reader being exploited in the wild. Secunia has a brief write up and here is the link to the original advisory.  The exploit was discovered in a phishing attempt with the subject of "David Leadbetter's One Point Lesson".  Adobe has issued an advisory and references CVE-2010-2883 (which just shows as reserved at this point with no details).  It does effect the latest version of Acrobat/Reader and Adobe is investigation a patch. More to come on that.

The exploit in the wild I'm aware of causes a crash in Acrobat/Reader and then tries to open a decoy file. So the good news is that, as of right now, it's a "loud exploit". Early VirusTotal scans also had partial coverage under various forms of "Suspicious PDF" categories. At this point, standard precautions apply (don't open PDFs from strangers) and this can probably only really be used in a phishing style scenario. Will update this dairy as needed with developments.
Attackers Exploiting New Acrobat/Reader Flaw — Krebs on Security
Adobe warned today that hackers appear to be exploiting a previously unknown security hole in its PDF Reader and Acrobat programs.

In an advisory published Wednesday, Adobe said a critical vulnerability exists in Acrobat and Reader versions 9.3.4 and earlier, and that there are reports that this critical
vulnerability is being actively exploited in the wild. The company says
its in the process of evaluating the schedule for an update to plug the
security hole.

Meanwhile, an evil PDF file going around that leverages the new
exploit currently is detected only by about 25 percent of the anti-virus
programs out there (the Virustotal scan results from today are here, and yes it’s a safe PDF).

advisory doesn’t discuss possible mitigating factors, although turning
off Javascript in Reader is always a good first step. Acrobat JavaScript
can be disabled using the Preferences menu (Edit -> Preferences -> JavaScript and un-check Enable Acrobat JavaScript).

No comments: