A major exploit of a recently patched vulnerability in Adobe Reader has been detected by Trend Micro

News by Dan Raywood

A major vulnerability in Adobe Reader has been detected by Trend Micro.

A major vulnerability in Adobe Reader has been detected by Trend Micro.


Adobe released an update for Adobe Acrobat 8 and Adobe Reader 8 last week while a working exploit code for the util.printf() vulnerability was released a day later. Trend Micro reported that malware authors were quick to use the exploit for their own gain.


Research manager Ivan Macalintal was alerted to the discovery of malicious .PDFs that exploit the Adobe Reader vulnerability, which Trend Micro now detects as TROJ_PIDIEF.CB. He reported that users with unpatched Adobe Reader software may be infected when they unknowingly access a certain remote website or are redirected from malicious banners and ads.


The explanation from Adobe was that critical vulnerabilities would cause the application to crash and could potentially allow an attacker to take control of the affected system.


Trend Micro reports that working as a buffer overflow, upon execution the TROJ_PIDIEF.CB could crash Reader and then allow a malicious user to take control of an affected system. This compromises system security and exposes it to more threats as malicious users could easily dump adware and malicious programs under the VUNDO, VIRTUMON, and in some cases, also VIRUT families into infected PCs.


One of the vulnerabilities was that multiple input validation issues could potentially lead to remote code execution and Adobe categorised this as a critical issue and recommended that users apply the update for their product installations.


Rik Ferguson, senior security advisor at Trend Micro, said: “This exploit appears to be taking advantage of a buffer overflow vulnerability, where the vulnerable application doesn't correctly validate data input. When an unexpected amount of data is entered, without proper bounds checking, the application can crash, also potentially allowing an attacker to execute code with elevated permissions. Buffer overflows constitute a very widely exploited weakness in general, in the world of cybercrime.

"Successful exploitation of this vulnerability leaves the victim PC open to further threats, for example the remote installation of the VUNDO family of malware. VUNDO is a Trojan, and a particularly effective one, which can install rogue anti-virus among other delights. This could potentially affect a lot of people as so many have of us have Acrobat installed on our computers. When I have run into the VUNDO Trojan on the machines that I have cleaned up for friends, I have seen it can download and install all kinds of very tough-to-remove malware."


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews