Adobe Zero-Day Attack Bypasses Sandbox

Adobe fumbles on the security front by not enabling -- by default -- technology built into its PDF Reader and Acrobat that would have blocked the current attacks.

The in-the-wild exploits being launched against the latest versions of Adobe Reader and Adobe Acrobat applications are the first known attacks that can bypass the sandbox that Adobe built into the software.
The sandbox technology,
added to Reader
more than two years ago, was designed to ensure that even if attackers exploited a bug in Adobes software, they wouldnt be able to gain access to the rest of the PC. That defense has now been defeated.
The
zero-day attacks against Reader and Acrobat
, which target two previously unknown vulnerabilities, were first publicly disclosed by security firm FireEye on Tuesday. Adobe confirmed the same day that it had already begun to investigate the attacks, which use malicious PDFs that are emailed to targets, as well as the bugs they exploit.
These vulnerabilities could cause the application to crash and potentially allow an attacker to take control of the affected system, according to an
Adobe security advisory
issued Wednesday.
[ Hackers business model seems to be the same as everyone elses. See
Cybercrime 2.0: Its All About The Money
. ]
Interestingly, the latest version of Adobes software -- Reader XI and Acrobat XI -- for Windows does have a built-in defense, called Protected View, that blocks the current zero-day attacks. Unfortunately, the feature isnt enabled by default. In addition, no such feature is present in version 11 of Reader or Acrobat for Mac OS X, which is vulnerable to the attacks. Similarly, versions 9 and 10 of the Adobe Reader and Adobe Acrobat, for both Windows and Mac OS X, lack the feature, and are also vulnerable to the attacks.
An Adobe spokesperson said a less-restrictive feature,
Protective Mode
, is enabled by default, but Protected View is not enabled by default in Reader XI and Acrobat XI for Windows. That apparent mistake is drawing criticism from security experts. Eugene Kasperksy, CEO of Kaspersky Lab,
likened the deactivated-by-default security feature
to car airbags that work only if owners flip a switch.
The Protected View defense came to light Wednesday, when Adobe detailed mitigation techniques for the zero-day attacks. Users of Adobe Reader XI and Acrobat XI for Windows can protect themselves from this exploit by enabling Protected View, according to a
security bulletin
released by Adobe. To enable this setting, choose the Files from potentially unsafe locations option under the Edit > Preferences > Security (Enhanced) menu. Similarly, enterprise administrators can activate Protected View via a registry tweak, then using Microsofts
Group Policy
to distribute the setting.
Windows users running older versions of Reader or Acrobat could upgrade to the latest version to mitigate the vulnerabilities. Meanwhile, another mitigation technique would be to avoid using Adobe Reader and Acrobat, and read or edit PDF files using an alternate application, such as the Preview application built into Mac OS X, or standalone applications from
Foxit and Solid Documents
, which respectively offer PDF conversion and editing software for Windows and Mac.
As noted
by Ars Technica, while this software likely also contains exploitable bugs, attackers dont seem to currently be targeting them.
To date, FireEye and Adobe have declined to release the exploit code being used by attackers, but FireEye Wednesday did offer some additional details about the attack, noting that the malicious PDF files have been weaponized with JavaScript. The JavaScript embedded in the crafted PDF is highly obfuscated using string manipulation techniques, according to a
blog post by FireEye researchers
. Most of the variables in the JavaScript are in Italian. The JavaScript has version checks for various versions of Adobe Reader ... and it creates the appropriate shellcode based on the version found. In other words, if a recipient opens the malicious PDF, the JavaScript inside the PDF ascertains which version of Adobe Reader or Adobe Acrobat theyre using, then serves up the code required to exploit that particular application. The attack code also uses
return-oriented programming
to disguise itself and bypass built-in
ASLR and DEP
defenses.
After exploiting Reader or Acrobat, the attack code installs -- or drops -- a payload file, which is a DLL file disguised as a language bar addin. The malicious file then goes to sleep to help disguise the infection. Interestingly, FireEye said the malware is also designed to not do anything that a real language bar plug-in wouldnt do, and includes techniques designed to fool sandbox defenses that aim to spot and block malicious code.
According to Trend Micro
, the malware used in the attack includes DLL files designed to run on 64-bit machines. The people behind this threat may have included this 64-bit malware in an attempt to evade detection by anti-malware programs, according to a blog post from the company.
Trend Micro said that in the attack samples it gathered, a successful exploit results in a Trojan injector DLL file being dropped, as well as a non-malicious file named Visaform Turkey.pdf being copied onto the system, which is likely designed to hoodwink users into not realizing theyve just executed a malicious file.
Security researcher and regular Metasploit contributor
Eric Romang reported
Wednesday that Visaform Turkey.pdf was first submitted
Monday
and then
Tuesday
to VirusTotal, where it was identified as being a malicious file that had been created just 10 days ago. Meanwhile, a command-and-control server tied to the attacks was anonymously
submitted to jsunpack
on Wednesday.
Those clues aside, security researchers have yet to detail, or perhaps identify, the targets of the malicious PDF attack or what types of data may have been targeted by the attackers.
Wily attackers are using shape-shifting malware to fool your defenses. Are you ready?Also in the new, all-digital
Malwares Next Generation
issue of Dark Reading: The shift in hacking requires a new defense mindset. (Free with registration.)

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Adobe Zero-Day Attack Bypasses Sandbox