Zero-day PDF exploit affects Adobe Reader 11 and earlier versions, researchers say
Adobe is investigating the report, but has yet to confirm that the exploit bypasses the sandbox protection in Adobe Reader 10 and 11
IDG News Service - Researchers from security firm FireEye claim that attackers are actively using a remote code execution exploit that works against the latest versions of Adobe Reader 9, 10 and 11.
"Today, we identified that a PDF zero-day [vulnerability] is being exploited in the wild, and we observed successful exploitation on the latest Adobe PDF Reader 9.5.3, 10.1.5, and 11.0.1," the FireEye researchers said late Tuesday in a blog post.
The exploit drops and loads two DLL files on the system. One file displays a bogus error message and opens a PDF document that's used as a decoy, the FireEye researchers said.
Remote code execution exploits regularly cause the targeted programs to crash. In this context, the fake error message and second document are most likely used to trick users into believing that the crash was the result of a simple malfunction and the program recovered successfully.
Meanwhile, the second DLL installs a malicious component that calls back to a remote domain, the FireEye researchers said.
It's not clear how the PDF exploit is being delivered in the first place -- via email or over the Web -- or who were the targets of the attacks using it. FireEye did not immediately respond to a request for additional information sent Wednesday.
"We have already submitted the sample to the Adobe security team," the FireEye researchers said in the blog post. "Before we get confirmation from Adobe and a mitigation plan is available, we suggest that you not open any unknown PDF files."
The Adobe Product Security Incident Response Team (PSIRT) confirmed Tuesday in a blog post that it is investigating a report of a vulnerability in Adobe Reader and Acrobat XI (11.0.1) and earlier versions being exploiting in the wild. The risk to customers is being assessed, the team said.
In response to a request for a status update sent Wednesday, Heather Edell, Adobe's senior manager of corporate communications, said that the company is still investigating.
Sandboxing is an anti-exploitation technique that isolates a program's sensitive operations in a strictly controlled environment in order to prevent attackers from writing and executing malicious code on the underlying system even after exploiting a traditional remote code execution vulnerability in the program's code.
A successful exploit against a sandboxed program would have to leverage multiple vulnerabilities, including one that allows the exploit to escape from the sandbox. Such sandbox bypass vulnerabilities are rare, because the code that implements the actual sandbox is usually carefully reviewed and is fairly small in length compared to the program's overall codebase that could contain vulnerabilities.
Adobe added a sandbox mechanism to isolate write operations called Protected Mode in Adobe Reader 10. The sandbox was further expanded to cover read-only operations as well in Adobe Reader 11, through a second mechanism called Protected View.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Mobile Applications Case Study: 8 Billion Transactions a Day The story documents how the online brokerage company tradeMONSTER created a custom mobile app and the success gleaned from this initiative. Also covered...
- The Case for Mobile Apps Today's mobile apps turn handheld devices into e-book readers, portable navigation systems, digital wallets and more. And for organizations with mobile workers, they...
- Mobile Expense Management--Picking up the Money on the Ground Integrating and managing mobility expenses across multiple carriers can generate savings and improve organizational decision making.
- Partners in Mobile Device Management: AirWatch & CDW When it comes to Mobile Device Management, it's not just what you know. It's who you know. That's why CDW partners with industry...
- Live Webcast Best Practices for the Hyperconverged Enterprise Network To the Age of Constant Connectivity and Information overload
- Live Webcast Unmasking the Differences between Consumer and Enterprise File Sync & Share The consumerization of IT combined with the rapid pace of the modern mobile workplace is forcing enterprise IT teams to evaluate file sync...
- Live Webcast Government Agency Webifies Outdated COBOL Applications Let this CTO tell you how his agency converted 1980s-era green screens into an e-filing portal for the 100,000 cases handled each year...
- Mobile Apps and Devices Slash Customer Cycle Time Consolidated Engineering Laboratories' field employees used to collect data on triplicate forms that were sometimes hard to read and difficult to manage. After...
- Testimonial: Cystic Fibrosis Trust Peter Hawkins, the Head of IT for Cystic Fibrosis Trust, discusses the role CommVault's Simpana software platform plays in improving the company's information... All Applications White Papers | Webcasts