Warning made of critical vulnerability in Adobe Reader and Acrobat that is actively exploited
Adobe has warned of a critical vulnerability in its Reader and Acrobat with reports made that it is being actively exploited in the wild.
The vulnerability (CVE-2010-2883) could cause a crash and potentially allow an attacker to take control of the affected system. The flaw specifically targets Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and Unix; and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh.
Adobe has said that it is in the process of evaluating the schedule for an update to resolve this vulnerability. It was detected by security researcher Mila Parkour who reported the bug to Adobe on Tuesday. He said in his blog that he had discovered a malicious email with a PDF attachment that claimed to offer golf tips from instructor David Leadbetter.
It urged the recipient to open the document, but Parkour identified that it ‘crashes/closes and opens a decoy file with the same name (except in lower case), which gets dropped in user profile Application Data'.
It was tested on XP SP2 Adobe Reader 9.3.4 and not on XP SP3 and later, or with latest versions of Flash or Shockwave. Parkour said: “A downloader file gets dropped in user %tmp% directory, downloads winhelp32.exe, which creates a connection to academyhouse.us. There are really a lot of things going on with it.”
Chester Wisniewski, senior security advisor at Sophos Canada, said: “There is one big difference between this vulnerability and others recently patched in Reader. The last few advisories were actually flaws in Adobe Flash and you could disable the ability to render flash in Reader to once again mitigate against the flaws.
“Adobe's advisory does not contain any mitigation steps which imply that none are known to work. They have classified the bug as ‘critical' and I would be surprised if they did not release an out-of-band fix for something this dangerous.”
McAfee security researcher Xiao Chen said: “Just after Adobe released their out-of-band patch for CVE-2010-2862, we discovered a malware exploiting a new zero-day vulnerability in the wild. Similar to the iOS PDF jailbreak vulnerability and CVE-2010-2862, this zero-day vulnerability also occurs while Adobe Reader is parsing TrueType Fonts. We've analysed and confirmed that the vulnerability affects the latest Adobe Reader (v9.3.4).
“This zero-day vulnerability is a typical stack buffer overflow vulnerability and exploitation of this issue is expected to be relatively easy. Although the latest version of Adobe Reader has been compiled with stack protection (/GS), the exploit uses a Return Oriented Exploitation (ROP) technique to bypass /GS protection and DEP.
“We saw a similar technique used to exploit an older Adobe TIFF parsing vulnerability. All this seems to point to the fact that ROP is gaining wider acceptance by malware writers to bypass DEP and existing stack protections.”
Kaspersky Lab researcher Roel Schouwenberg said that the exploit is pretty basic, but what is interesting is that it makes use of ROP to bypass the ASLR and DEP mitigation technologies in Windows Vista and 7.
He said: “More widespread usage of ROP for exploits is something I've been expecting for a while. Why? Because Windows 7 is gaining more and more traction in both the consumer and corporate space.
“While most malicious PDFs download their payload, this time the PDF has malicious content embedded. The file it drops is digitally signed with a valid signature from a US-based Credit Union, this means that the cyber criminals must have got their hands on the private certificate. Remind you of anything? If you say Stuxnet (where compromised Realtek and JMicron certificates were used to sign files) then we're clearly thinking on the same lines.
“It'll be interesting to see if Stuxnet has started a trend or if these cases are just a flukey coincidence. I suspect they're not - I think the use of valid, stolen certificates to sign malware will really take off in 2011. Both VeriSign and Vantage Credit Union have been notified so that they can take action.”