Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Newest Adobe zero-day PDF exploit 'scary,' says researcher

Bypasses Windows DEP and ASLR defenses, comes with valid digital certificate

The exploit for a critical unpatched bug in Adobe Reader that's now circulating is "clever" and "impressive," security researchers said this week.

First uncovered on Tuesday by Washington-based researcher Mila Parkour, attackers are using rigged PDF documents that include code to exploit a zero-day vulnerability in the widely used Reader PDF viewer as well as in Acrobat, Adobe's PDF creation software.

The sophisticated exploit bypasses two important defenses that Microsoft erected to protect Windows, ASLR (address space layout randomization) and DEP (date execution prevention), researchers have confirmed.

"It's pretty clever," said Chet Wisniewski, a senior security adviser with software security firm Sophos. "It circumvents protections like ASLR and DEP. "Its techniques are certainly out of the ordinary and a lot more sophisticated than the garden variety [PDF] exploit."

The attack, which has been spotted attached to e-mails touting renowned golf coach and author David Leadbetter, also includes a malicious file that's digitally signed with a valid signature from Missouri-based Vantage Credit Union.

VeriSign has revoked the signature, but the already baked malware will still carry what appears to be a valid digital signature, Wisniewski said.

Vantage Credit Union's Web site now displays a message saying that users' access to their accounts via Intuit's Quicken and Microsoft's now-discontinued Money are "unavailable until further notice due to circumstances beyond our control," a sign that the financial firm's signature has been revoked.

Other researchers were also taken with the technical skills of the hacker who crafted the exploit and the trend it hinted at.

"The Adobe 0day exploit is pretty impressive," said noted vulnerability researcher Dino Dai Zovi on Twitter yesterday.

"So the Adobe 0day is using DEP+ASLR Bypass with a binary that is signed with stolen certificate!" said "Neeraj," who works as a senior security research engineer for Nevis Network, an Indian firm. "That's how future attacks gonna be. Scary!"

Although most researchers have pointed out that the current attacks have likely been aimed at specific individuals or companies -- "targeted," in security parlance -- hackers will probably quickly expand the range of victims and the size of their assaults, Wisniewski said. "Now that the cat's out of the bag, I'd expect to see more," he said.

A working exploit was added to the open-source Metasploit penetration testing kit Thursday and revised earlier Friday to run reliably on Windows Vista and Windows 7 systems, and to launch from a browser , said HD Moore , the chief security officer for Rapid7 and the creator of Metasploit.

The Metasploit exploit was written by researcher Joshua Drake , who noted Thursday that the current in-the-wild exploit can compromise a Windows PC if its user only previews the rigged PDF.

Adobe warned Reader and Acrobat users Tuesday of the vulnerability, but has not said when it would patch the bug. Nor has it offered any advice to stymie attacks.

Wisniewski said disabling JavaScript in Reader and Acrobat blocked the current exploit, but may not protect people against future attacks.

To disable JavaScript in Adobe Reader or Acrobat on Windows, users must select Preferences from the Edit menu, choose "JavaScript," then uncheck the "Enable Acrobat JavaScript" option. (On the Mac, Preferences is under the "Adobe Reader" or "Adobe Acrobat" menus.)

Another workaround suggested by the SANS Institute is to install the gPDF browser add-on , which opens any Web-hosted PDF in Google Docs' viewer rather than call on the Adobe Reader browser plug-in. gPDF is available in versions for Firefox and Chrome, and can also be run on Safari and Opera using available Greasemonkey scripts.

Wisniewski also said that there was evidence that the hacker had been working on the exploit for almost a year. "The DLL that it drops was [digitally] signed in 2009, so that part of it at least isn't brand new," he said. "That doesn't mean the exploit itself was available back then, but is another indication of a targeted attack."

He compared the Reader zero-day exploit with the Stuxnet worm, which caused concern in July when it was discovered attacking industrial control systems at large manufacturing and utility companies. Symantec traced Stuxnet back to June 2009 , with attacks likely beginning the following month, when hackers apparently stole digital certificate keys from a pair of Taiwanese software firms, then used them to sign two versions of the worm.

"This makes two [attacks] that have used valid certificates," Wisniewski said. "I'm starting to wonder if [hackers] aren't using other malware that's specifically targeting certificates and their keys."

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: Adobe, Drake, etwork, Google, Intuit, Microsoft, Quicken, SANS Institute, Sophos, Symantec, VeriSign
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: Microsoft, security, sophos, VeriSign
Latest Blog Posts
Whitepapers
  • Protecting Against the Leading Causes of Data Breach
    This whitepaper was written for the organisation that wants to focus on prevention of data loss and doesn’t have millions to spend, but needs affordable solutions that can be implemented today to protect millions of sensitive records and dollars worth of intellectual property. This whitepaper addresses: - What organisations can do to prevent the four leading causes of data breaches - Why dedicated (pure-play) DLP solutions may not protect you from all four leading causes of data breaches - How to get prevent sensitive data leaving your organisation
    Learn more »
  • How to Choose an SMB - Unified Communications as a Service (UCAAS) Solution
    The on-premise deployment of Unified Communications (UC) continues to be a source of considerable corporate angst especially for the Small to Medium Business (SMB) sector. IT research firm Gartner believes UCaaS will be adopted as an adjunct service by large enterprises and as a core service by SMBs before 2015. To help SMBs choose the best offering and develop a suitable roadmap Computerworld has prepared this special feature profiling the major offerings in the Australian market.
    Learn more »
  • Optimizing Data Quality in the Enterprise - How to Tackle Your Bad Information
    Data quality – the measure of data accuracy, completeness, and consistency across a business – has become the core focus of information management efforts among many of today’s organizations. Problems with data quality continue to plague corporations of all types and sizes. In this paper, we will discuss some techniques companies can implement to enhance data quality across the entire enterprise. We will also highlight data quality management solutions, which provide businesses with the ability to effectively and economically enhance the correctness, completeness, and consistency of information in each and every system within their technology infrastructure.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments