Adobe investigating Reader, Acrobat exploit reports

ronjor · Dec 14, 2009

by Elinor Mills

Adobe warned of reports of an attack exploiting a hole in Reader and Acrobat on Monday.

"This afternoon, Adobe received reports of a vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions being exploited in the wild," the company said in an advisory on its Security Incident Response Team blog. "We are currently investigating this issue and assessing the risk to our customers. We will provide an update as soon as we have more information."
Click to expand...

Article

Triple Helix · Dec 15, 2009

Yet another problem with adobe they should have monthly updates like Microsoft opps they do!

TH

Dogbiscuit · Dec 15, 2009

From Symantec:

The PDF files we discovered arrives as an email attachment. The attack attempts to lure email recipients into opening the attachment. When the file is opened, a malicious file is dropped and run on a fully patched system with either Adobe Reader or Acrobat installed. Symantec products detect the file as Trojan.Pidief.H.
Click to expand...

From the Shadowserver Foundation which says it has examined the exploit:

Exploit Details

We can tell you that this exploit is in the wild and is actively being used by attackers and has been in the wild since at least December 11, 2009.
Click to expand...

With that said we can tell you that this vulnerability is actually in a JavaScript function within Adobe Acrobat [Reader] itself. Furthermore the vulnerable JavaScript is obfuscated inside a zlib stream making universal detection and intrusion detection signatures much more difficult. On the bright side though, there are some solutions to this problem.
Click to expand...

Solution

We have said it before and we will say it again: Disable JavaScript.

Disabling JavaScript is easy. This is how it can be done in Acrobat Reader:

Click: Edit -> Preferences -> JavaScript and uncheck Enable Acrobat JavaScript

We have not had time to fully test but enabling hardware DEP for systems that support it may also mitigate this issue.

Antivirus detection should improve in the coming weeks and hopefully a patch. Right now only 5 out of the 41 different Antivirus vendors used by Virustotal are detecting this threat. Even then their detection appears to be generic and is not currently specifically detecting this exploit.
Click to expand...

EDIT: From PC Magazine:

Shadowserver calls strongly on users to disable JavaScript in Acrobat and Reader. This is a good idea for most users, but for others it's not a realistic option. Many corporate applications use JavaScript in PDFs for important functions like forms processing and it's even used by Google Docs as part of their printing support.
Click to expand...

Both Shadowserver and Symantec list the attack as very rare and it has probably been used in a very targeted way so far, but that could change in short order. Symantec's description of Trojan.Pidief.H includes some details not in other reports, specifically that after triggering the vulnerability the exploit drops and executes %Temp%\AdobeUpdate.exe. Depending on the target of the attack this program may drop other executables ... .
Click to expand...

Rmus · Dec 15, 2009

Thanks for posting this, Dogbiscuit!

Symantec's description of Trojan.Pidief.H includes some details not in other reports, specifically that after triggering the vulnerability

the exploit drops and executes %Temp%\AdobeUpdate.exe.

Depending on the target of the attack

this program may drop other executables ...

Antivirus detection should improve in the coming weeks and hopefully a patch. Right now only 5 out of the 41 different Antivirus vendors used by Virustotal are detecting this threat. Even then their detection appears to be generic and is not currently specifically detecting this exploit.
Click to expand...

Even if DEP doesn't mitigate this exploit, and although AV detection is not reliable yet, any security solution that alerts to unauthorized executables will block the attempt to drop \AdobeUpdate.exe.

The Trojan.Pidief family of malware goes back to earlier this year. All of the trojans have the same payload: a command to call out to a server to download the malware.

I've written about this before, so if you aren't familiar with how these PDF expoits work, and how easy it is to prevent against them, here it is again. While it uses a web-embedded remote code execution exploit as an example, an email attack is similarly prevented beginning with the "third requirement:"

http://www.urs2.net/rsj/computing/tests/pdf/

It's been noted before that not everyone has a Firewall with outbound monitoring, nor anti-execution prevention. Fair enough, but that doesn't mean that these solutions aren't available for those who care to investigate how these exploits work and thus, take appropriate preventative measures.

All you have to do is read, as Dogbiscuit has done, and retrieve the pertinent information: a malware executable attempts to download in the background.

What can you do to prevent that? Then, you go from there!

So, you have to get beyond the initial advisory, which ususally doesn't give you much to go on.

----
rich

Thankful · Dec 17, 2009

Fix coming January 12, 2010:
http://blogs.adobe.com/asset/2009/12/background_on_reader_update_sh.html

JRViejo · Dec 18, 2009

Adobe chose to wait until mid-January to patch a critical PDF bug because issuing an emergency update would have disrupted its quarterly security update schedule, the company said today.
Click to expand...

Adobe explains PDF patch delay, by Gregg Keizer.

Log in or Sign up

Adobe investigating Reader, Acrobat exploit reports

ronjor Global Moderator

Triple Helix Specialist

Dogbiscuit Guest

Rmus Exploit Analyst

Thankful Savings Monitor

JRViejo Super Moderator

Log in or Sign up

Adobe investigating Reader, Acrobat exploit reports

ronjor Global Moderator

Triple Helix Specialist

Dogbiscuit Guest

Rmus Exploit Analyst

Thankful Savings Monitor

JRViejo Super Moderator

Useful Searches