Adobe Reader, Acrobat Under Attack

Cue the security fatigue: Zero-day attacks target Adobe Reader and Acrobat, Adobe pushes second Flash patch, Microsoft fixes 57 flaws.

Who Is Hacking U.S. Banks? 8 Facts (click image for larger view and for slideshow)
Zero-day vulnerabilities in the most recent versions of Adobe Reader and Acrobat are being actively exploited by attackers, who are emailing malicious PDFs to targets to remotely compromise their PCs.
That warning comes from researchers at security firm FireEye, which said its provided copies of the exploit code to Adobe. A PDF zero-day is being exploited in the wild, and we observed successful exploitation on the latest Adobe PDF Reader 9.5.3, 10.1.5, and 11.0.1, according to a
security warning
posted Tuesday by FireEye. Upon successful exploitation, it will drop two DLLs. The first DLL shows a fake error message and opens a decoy PDF document, which is usually common in targeted attacks. The second DLL in turn drops the callback component, which talks to a remote domain.
Adobe said its investigating the alleged zero-day bugs. Adobe is aware of a report of a vulnerability in Adobe Reader and Acrobat XI (11.0.1) and earlier versions being exploited in the wild, according to a brief
Adobe vulnerability report
released Tuesday. We are currently investigating this report and assessing the risk to our customers. We will provide an update as soon as we have more information.
[ Can the government help with cybersecurity? Read
White House Cybersecurity Executive Order: What It Means
. ]
No additional details about the zero-day vulnerabilities have been publicly released, and its not clear if the bugs allow attackers to
bypass the sandbox
built into Reader and Acrobat. But until the vulnerability gets patched, FireEye recommended that users avoid opening any PDF files of unknown origin.
Adobe Tuesday also
patched known Flash Player vulnerabilities
in
Shockwave Player
,
Flash Player
, and Adobe AIR, by releasing updates for Windows, Mac OS X, Linux and Android. That marked the
second time in less than a week
that Adobe, which normally only releases quarterly patch updates, released out of band patches to mitigate in-the-wild exploits of bugs in its products. In addition,
Oracle still plans to release further patches
on February 19.
In other words, 2013 is already turning out to be a banner year for bug spotting. For starters, new flaws recently surfaced not just in Flash and Adobe Reader and Acrobat, but also
Internet Explorer and Java
.
Microsoft Tuesday patched 57 vulnerabilities in its products, as part of its regularly scheduled, monthly patch release, and many of the bugs have been labeled as critical. [The] critical vulnerabilities all potentially enable remote code execution, as does the SharePoint server related bulletin rated important this month, said Kurt Baumgartner, a senior security researcher at Kaspersky Lab, in a
blog post
. The other vulnerabilities enable elevation of privilege and denial of service attacks. Several of the vulnerabilities have been publicly disclosed, and at least one is known to be publicly exploited.
Many security experts are advising security managers to prioritize the Internet Explorer patch, which fixes 13 vulnerabilities -- privately reported to Microsoft and not yet detailed publicly -- which attackers could use to remotely exploit code on vulnerable machines. Despite the bugs being privately disclosed, Microsoft is warning that exploitation in the wild is imminent, said Paul Ducklin, head of technology for Sophos in the Asia Pacific region, in a
blog post
. Indeed, expect attackers to be working overtime to reverse-engineer the patches, which would allow them to craft attacks that exploit Windows PCs that havent been patched.
One critical Microsoft patch addresses flaws in the Windows media codec, which could be exploited by crafting a malicious media file. Another fix targets vulnerabilities in the RTF file format that could be exploited by crafting a malicious RTF file, which if opened in Microsoft Word or WordPad would allow an attacker to compromise the PC. Microsoft warns that this is likely to be exploited in the wild within 30 days, said Ducklin.
While those vulnerabilities affect clients, another critical vulnerability exists on Microsoft Exchange servers with Oracles Outside In technology. The vulnerabilities could be exploited by attackers to remotely compromise the server or create a denial of service.
Security researchers have also published further details of the bugs that were patched last week in Adobes Flash Player. According to a
blog post
from Kaspersky Lab researchers Sergey Golovanov and Alexander Polyakov, the vulnerabilities (designated
CVE-2013-0633
) are being actively exploited by so-called legal surveillance malware created by the Italian company HackingTeam. The Italian companys surveillance software is called RCS (Remote Control System), aka DaVinci, and has been used against human rights activists and political dissidents from Africa, South America and the Middle East, according to the researchers.
The Kaspersky Lab researchers said they cataloged six different ways that RCS has been installed on targets computers, and four of them employ zero-day vulnerabilities. Interestingly ... two of the 0-days appear to have been created by the French offensive security company Vupen, said the researchers. The link was also previously pointed out by
Citizen Labs report
, which says its unclear if the exploits used with HackingTeams malware have been purchased from Vupen, or just engineered in parallel.
Chaouki Bekrar, CEO and head of research for Vupen, dismissed as defamatory allegations and unproven claims the Kaspersky Lab suggestion that his company may have sold the zero-day vulnerabilities to HackingTeam. We did not develop nor sell any of these exploits, Bekrar said via email. In the vulnerability research field, it often happens that many unlinked researchers, groups or companies work on similar flaws or exploits without knowledge of the others, we call this vulnerability overlaps and its very common and usual.
Note: Story updated to correct error in number of flaws fixed.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Adobe Reader, Acrobat Under Attack