What would a PDF file have to do with a kernel vulnerability?

What would a PDF file have to do with a kernel vulnerability?

http://blog.spiderlabs.com/2013/12/...-zeroday-pointer-cve-2013-5065-ring-ring.html

 

Thanks for posting this .

Hopefully this will convince the previously unconvinced that "local elevation of privilege"-related Microsoft updates should be applied.

 

Above my head guys, can someone simplify a little please?

Quite some time ago I ditched Acrobat Reader in favour of FoxitReader because Id seen complaints about it phoning home.

 

The short story is that Adobe has a fairly tight sandbox, for Windows. An attacker broke out of it (in the wild, as in users were actually exploited using this technique) by using a carefully crafted PDF file to get execution in Reader, and then, from the unprivileged/ sandboxed component, they attacked the windows kernel.

This provided a full sandbox escape, giving them access to the entire system.

 

Thanks Hungry Man.

 

Thanks for the link!

Microsoft had issued an alert a couple of weeks ago -- evidently it doesn't affect Operating Systems newer than WinXP:

Microsoft Releases Security Advisory 2914486
[Vulnerability in Microsoft Windows Kernel Could Allow Elevation of Privilege]
27 Nov 2013 2:30 PM
http://blogs.technet.com/b/msrc/archive/2013/11/27/microsoft-releases-security-advisory-2914486.aspx

But your link is the first description of how the PDF file does its work.

I was a bit disappointed in that the exploit's goal didn't do anything more esoteric than write an executable file to disk!

From blog.spiderlabs.com:

Of course, getting a trojan/virus onto the computer is the goal of most malware writers, but the possibilities to do other things certainly exist.


----
rich

 

Just another boring social engineering-triggered exploit.

 

on my xp machines with adobe reader 11.0.5 i have always unchecked javascript and in trust manager unchecked allow third party etc. open reader,edit,preferences, and scroll down. i only use reader to view pdf files. this was reccomended 5 yrs ago when reader was being attacked every other day. thanks

 

@Wat,

A bit more interesting than that. The kernel attack is the interesting part, not the adobe exploitation.

@Rmus,

Yes, a bit of a shame. An attacker can do so much more at Ring 0, but they chose not to.

Attackers are just like defenders - they're always a few years behind the researchers. They'll catch up.

 

True enough but the basis of the attack is still contingent upon someone deliberately launching the malicious pdf. I'm more impressed with automated attacks via malicious script or similar.

 

Virtually no attack is 100% automated. In very advanced attacks, they can be. At almost all times a user is at the very least required to click a link to a webpage, or visit some page.

Social engineering is easy. How many times have I convinced you to click a link to my horribly insecure website? That's a fraction of the number of times you could be hacked.

 

Which is why I stated automated and not automatic

I go there by choice, and then I can see there's no suspicious js lurking there either Honestly, I feel no concern wherever I surf, I'm that confident in my setup, bolstered always by a fail safe backup plan in place.

 

Well, I don't mean to say that your security setup would be easily subverted - it's fine. I just mean that you click a million different things every day, and you take in a ton of untrusted content every day. Social engineering someone is not hard because they all do that.

 

Social engineering is easy. Just look at Wilders. I reckon every external link posted the forum is happily clicked by its members without a second thought.

 

Haha speak for yourself

I only click on the link if it's visible like the first one or else I usually don't bother with the hyperlinks.

https://www.wilderssecurity.com/

Wilders Security Forums

 

Well I don't either.
Look at it from a different angle but similar problem - isn't it common for many of us at Wilders to test every new security software out there, even those from relatively unknown/new sources?

 

Yep, that's what I do. No need to think about it.

 

Well, that can be easily spoofed, which you won't catch unless hovering the mouse over the hyperlink displays the address, or you look at the page source code. The hyperllink below takes you to time.com news site:

https://www.wilderssecurity.com/


----
rich

 

Not to mention I can say "New security product being hosted at www.actuallyevil.com" and no one will know without clicking.

The point is that social engineering is easy, and most people will fall for it.

I wouldn't discount an attack just because it requires a minimal amount.

Regardless, the interesting part of this is that sandboxes are much less useful (as are all host based security tools) when the kernel is weak.

 

Yeah that's true, if I am not familiar with the poster like a very new forum member that I know nothing about then I am more cautious.

I copied your link to the search area of my browser and the true destination was shown.

But then it doesn't make sense why a trusted member like you would post a spoofed link like your example normally, so if you would post a normal link in a thread tomorrow I would probably click on it without checking where to it goes first.

To tell the truth, I don't think that I have ever checked a normal looking link like your example posted on Wilders before clicking on it, so spoofed links on Wilders is rare, I have always landed on the right destination

 

I always compare to what is displayed in the status bar. If it is not a match, or is blank, then I don't bother to click. I don't trust this site more than any other.

 

No need for that, just hover your cursor over the link and look at where the status bar would be.

 

Script control. That's all you need.

 

Yes I could but I have my status bar disabled Enabled it would be at the bottom of the window.