Researcher warns of impending PDF attack wave
No-bug-required Reader flaw 'easy to reproduce,' says expert, expects money-stealing attacks soon
Computerworld - A design flaw in Adobe's popular PDF format will quickly be exploited by hackers to install financial malware on users' computers, a security company argued today.
The bug, which is not strictly a security vulnerability but actually part of the PDF specification, was first disclosed by Belgium researcher Didier Stevens last week. Stevens demonstrated how a multistage attack using the PDF specification's "/Launch" function could successfully exploit a fully-patched copy of Adobe Reader.
Unlike other attacks based on rogue PDFs, Stevens' technique does not require an underlying vulnerability in Adobe's Reader or Acrobat, but instead relies on social engineering tactics to dupe users into opening a malicious PDF. In his demo, Stevens used a PDF document containing attack code that he was then able to execute using the /Launch function. Although Reader and Acrobat display a warning when an executable inside a PDF file is launched, Stevens found a way to partially modify the alert to further trick a potential victim into approving the action.
It will be easy for hackers to replicate Stevens' strategy, said Mickey Boodaei, CEO of security company Trusteer, best known for Rapport, a security service that helps online banks, brokerages, and retailers secure customers' desktops.
"Didier's information is very clear, very easy to reproduce, and the attack seems to be very effective," said Boodaei. Although Stevens did not release proof-of-concept attack code, Trusteer's engineers were easily able to duplicate his attack, including the modifications to Reader's and Acrobat's warnings.
Boodaei assumes that criminals will be able to replicate the attack -- within days, if they haven't already -- and believes that they will immediately add it to the already-in-place multi-exploit kits that they've hidden on compromised legitimate sites.
"All the infrastructure is in place," Boodaei said, citing the networks of hacked sites that criminals use to launch drive-by attacks, which typically try multiple exploits or attack vectors, in order to infect as many victims as possible. "This is just another vulnerability they can use," he said.
Adobe has acknowledged the bug, but has not yet committed to producing a patch to stymie attacks. However, the company has urged users to change Reader's and Acrobat's settings to disable the /Launch function.
In a blog post Tuesday, Adobe Reader group product manager Steve Gottwals recommended that consumers block attacks by unchecking a box marked "Allow opening of non-PDF file attachments with external applications" in the programs' preferences panes. By default, Reader and Acrobat have the box checked, meaning that the behavior Stevens exploited is allowed.
Gottwals also showed how enterprise IT administrators can force users' copies of Reader and Acrobat into the unchecked state by pushing a change to Windows' registry.
- Cybersecurity Imperatives: Reinvent your Network Security The Rise of CyberSecurity
- Cybersecurity for Dummies eBook This book provides an in-depth examination of real-world attacks and APTs, the shortcomings of legacy security solutions, the capabilities of next-generation firewalls, and...
- 10 Things Your Next Firewall Must do Next-Generation Firewalls Defined
- Getting Started With a Zero Trust Approach to Network Security The Traditional Approach to Network Security is Failing. View Now>>
- What are the desktop virtualization market trends and how can you successfully deploy your solution? You've probably heard about desktop virtualization -- and some of its benefits -- things like tighter security, streamlined management and lower costs. But...
- The Value of Symantec NetBackup Appliances In this video, Symantec's Shelley Schmokel, Principal Product Manager for NetBackup Appliances, talks about the NetBackup Integrated Appliances and how they deliver enterprise-class... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!