Newest Adobe zero-day PDF exploit 'scary,' says researcher
Bypasses Windows DEP and ASLR defenses, comes with valid digital certificate
Computerworld - The exploit for a critical unpatched bug in Adobe Reader that's now circulating is "clever" and "impressive," security researchers said this week.
In an exploit first uncovered on Tuesday by Washington-based researcher Mila Parkour, attackers are using rigged PDF documents that include code to exploit a zero-day vulnerability in the widely used Reader PDF viewer as well as in Acrobat, Adobe's PDF creation software.
The sophisticated exploit bypasses two important defenses that Microsoft erected to protect Windows, ASLR (address space layout randomization) and DEP (data execution prevention), researchers have confirmed.
"It's pretty clever," said Chet Wisniewski, a senior security adviser at security software vendor Sophos. "It circumvents protections like ASLR and DEP. "Its techniques are certainly out of the ordinary and a lot more sophisticated than the garden-variety [PDF] exploit."
The attack, which has been spotted attached to e-mails touting renowned golf coach and author David Leadbetter, also includes a malicious file that's digitally signed with a valid signature from Missouri-based Vantage Credit Union.
VeriSign has revoked the signature, but the already baked malware will still carry what appears to be a valid digital signature, Wisniewski said.
Vantage Credit Union's Web site now displays a message saying that users' access to their accounts via Intuit's Quicken and Microsoft's now-discontinued Money are "unavailable until further notice due to circumstances beyond our control," a sign that the financial firm's signature has been revoked.
Other researchers were also taken with the technical skills of the hacker who crafted the exploit and the trend it hinted at.
"So the Adobe [zero-day] is using DEP+ASLR Bypass with a binary that is signed with stolen certificate!" said "Neeraj," who works as a senior security research engineer at Nevis Network, an Indian company. "That's how future attacks gonna be. Scary!"
Although most researchers have pointed out that the current attacks have likely been aimed at specific individuals or companies -- they were "targeted," in security parlance -- hackers will probably quickly expand both the population of victims they attack and the size of their assaults, Wisniewski said. "Now that the cat's out of the bag, I'd expect to see more," he said.
A working exploit was added to the open-source Metasploit penetration testing kit Thursday and revised earlier Friday to run reliably on Windows Vista and Windows 7 systems, and to launch from a browser, said HD Moore, the chief security officer for Rapid7 and the creator of Metasploit.
The Metasploit exploit was written by researcher Joshua Drake, who noted on Thursday that the current in-the-wild exploit can compromise a Windows PC if its user only previews the rigged PDF.
Adobe warned Reader and Acrobat users Tuesday of the vulnerability, but it has not said when it would patch the bug. Nor has it offered any advice about how to stymie attacks.
Another work-around suggested by the SANS Institute is to install the gPDF browser add-on, which opens any Web-hosted PDF in Google Docs' viewer instead of using the Adobe Reader browser plug-in. The gPDF add-on is available in versions for Firefox and Chrome; it can also be run on Safari and Opera using available Greasemonkey scripts.
Wisniewski said that there was evidence that the hacker had been working on the exploit for almost a year. "The DLL that it drops was [digitally] signed in 2009, so that part of it at least isn't brand new," he said. "That doesn't mean the exploit itself was available back then, but is another indication of a targeted attack."
He compared the Reader zero-day exploit with the Stuxnet worm, which caused concern in July when it was discovered attacking industrial control systems at large manufacturing and utility companies. Symantec traced Stuxnet back to June 2009, with attacks likely beginning the following month, when hackers apparently stole digital certificate keys from a pair of Taiwanese software firms and then used them to sign two versions of the worm.
"This makes two [attacks] that have used valid certificates," Wisniewski said. "I'm starting to wonder if [hackers] aren't using other malware that's specifically targeting certificates and their keys."
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.
Read more about Security in Computerworld's Security Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts