New Adobe Reader and Acrobat Exploit in the Wild

Discussion in 'malware problems & news' started by Rmus, Oct 8, 2009.

Thread Status:
Not open for further replies.
  1. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Adobe Reader and Acrobat issue
    http://blogs.adobe.com/psirt/2009/10/adobe_reader_and_acrobat_issue_1.html
    Adobe Acrobat Reader Remote Code Execution Vulnerability
    http://www.securityfocus.com/bid/36600/discuss
    Targeted exploits ususally suggest email as the attack vector at an organization, either with a link to download the PDF file, or the PDF file arriving as an attachment.

    However, once the exploit code is available, it could appear in other web-based attacks as seen in the past.

    Remote Code execution suggests the same type of exploit we've seen in the past, where code inside the PDF file connects out to the internet to a server to download malware.

    -rich
     
  2. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    Adobe is having the Microsoft 2005 moment ...
    Mrk
     
  3. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,736
    Location:
    New York City
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Thanks for that article. Other researchers who had the PDF file were stingy and didn't give any information about the exploit code.

    Here is the pertinent part from TrendMicro:

    I've not seen such a PDF file to test, but the same type of exploit can be shown using an earlier malicious document file, as mentioned by TrendMicro:

    Malicious RTF Document in Targeted Email Exploit
    https://www.wilderssecurity.com/showthread.php?t=244726

    Whether the executable is extracted from the document, or attempts to download via code calling out to a server, it is easily blocked with proper protection in place.

    Note that both the RTF exploit and this current PDF exploit are targeted attacks, usually meaning an organization, where the policy "don't open attachments" doesn't apply, especially when email lists are compromised and the recipient either trusts the sender, or has good reason to think the attachment is legitimate.

    -rich
     
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    Well I have a simpler approach to protection from this. I've removed Adobe Reader from all my machines. Can't stand it.

    Pete
     
  6. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    Peter, I agree ... too much bloat and slowness ...
    Mrk
     
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Which one is better Foxit or PDFExchange?

    Thanks
     
  8. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,736
    Location:
    New York City
  9. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    I understand.

    Currently I have version 8.x installed, with javascript disabled and I removed the ActiveX.

    There may be exploits but I can't be bothered to update it.
    I have never been infected by/through it, and I don't expect that to happen.
     
  10. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Sorry, I don't know much about DEP.

    ----
    rich
     
  11. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Over the past year I've tested 37 malicious PDF files - some in web-based attacks, others just opening on disk. Only TWO triggered an exploit on my small, non-bloated, 1.5-seconds-to-open Acrobat Reader v.6.

    I've thought about downloading a newer version to try the bad files, but I didn't want to waste the time.

    ----
    rich
     
  12. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
  13. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    Yes, hardware DEP is the one interested, because it prevents code execution from stack/heap (and this exploit is executing code from heap)
     
  14. tipstir

    tipstir Registered Member

    Joined:
    Jun 9, 2008
    Posts:
    830
    Location:
    SFL, USA
    Foxit and Free expert PDF viewer seem buggy to use. I have to use Adobe Reader I hate to use. It. I've disable all the crap it tries to start on my system. So that's about it. Banks, bills they all use Adobe Reader templates which forces you to use it. Foxit and Free Expert PDF Viewer can't open PDF that required Adobe Reader 9. I also create PDF Creator for bills paid to save it to the HDD just to cut back on toner/drum usage here and paper, thus color ink carts are expensive!
     
Loading...
Thread Status:
Not open for further replies.