New Zero-Day Attacks Cheat Key Security Features In Adobe Reader, Acrobat

Use Protected Mode until patch is available for sophisticated attacks, Adobe says

This article was updated on 2/15/13 with more information on reports of a previous sandbox bypass
Attacks are under way exploiting the newest versions of Adobes PDF sandbox and other protections -- sure signs that sophisticated, well-funded attackers are likely behind this latest wave of threats to the popular software, according to security experts who have studied the malware.
Adobe late yesterday confirmed that two critical newly discovered flaws -- CVE-2013-0640, CVE-2013-0641 -- in Adobe Reader and Acrobat XI (11.0.01 and earlier), Acrobat X (10.1.5 and earlier), and Acrobat 9.5.3 and earlier for both Windows and Macintosh could let an attacker wrest control of the victims machine after crashing the application. The attacks send users an email with a rigged PDF file, bypass the sandbox feature in Adobe Reader 10, and bypass the Protected Mode sandbox in Reader XI.
The software vendor is working on an emergency fix; in the meantime, it recommends that users enable the Protected View setting in Adobe Reader XI and Acrobat XI for Windows.
Security vendor F-Secure
recommends
also selecting All files under Protected View, rather than the Files from potentially unsafe locations option suggested by Adobe.
[UPDATE/Clarification, 02/15/13]:
It may not be the first time Adobes sandbox feature has been beaten in an exploit, however, notes Zheng Bu, senior director of research for FireEye, which
first spotted the zero-day attack in the wild
and contacted Adobe. We had seen a [sandbox] bypass late last year, he says, referring to
a report that Group-IB claims to have bypassed the sandbox
.
Adobe says there is no evidence of the previous sandbox bypass attack, despite its efforts to get a proof-of-concept from Group-IB.
Bu says the new attack is advanced. This is a very sophisticated attack. It ... bypasses ASLR [Address Space Layout Randomization] and Adobe sandbox. These technologies were introduced to the system level and the application level to make exploitation harder; they have been quite effective for a while, Bu says. But security researchers have demonstrated that these techniques can be beaten, he says.
We are starting to see this bypassing ASLR has been readily used [like with] this zero-day exploit, he says. The threat landscape is changing, and we really need new technologies. I would say Adobe needs to continue to innovate and better protect its customers.
The attack so far has been in the form of an email with a malicious PDF file attachment named visa.form.turkey.PDF, which looks a lot like an authentic Turkey visa application, Bu says.
Once the victim opens the file, three binaries are dropped: a loader, a command and control module, and another binary that downloads additional malware. This is a malware suite -- with many binaries in the payloads, he says, adding that the malware was created on Feb. 4.
FireEyes Bu declined to speculate on who might be behind the latest Adobe zero-day attack.
[Successes by Adobe, Google, and Apple to reduce privileges through sandboxing has reduced exploits in their software, but the technique is far from perfect. See
The Pros And Cons Of Application Sandboxing
.]
Other researchers have tested samples of the malicious PDF. Chaouki Bekrar, CEO and head of research at VUPEN, says the first bug allows the code execution inside the sandbox, and then second bug is exploited to escape the sandbox and execute the final payload. After installing the Trojan, the exploit displays a fake PDF, which is a Visa form for a specific country, Bekrar says.
This is the first seen-in-the-wild exploit combining multiple zero-day vulnerabilities to bypass ASLR and the sandbox, Bekrar says, and its a typical offensive exploit used by law enforcement agencies to track and infect criminals computers and investigate their illegal activities.
Bekrar says the authors of the exploit appear to be very skilled, and writing and testing this reliable code likely took some time, he says.
He says while Adobe and Google have the most robust sandboxes, that doesnt mean they cant be cheated by attackers with enough resources and time.
Other experts concur that sophisticated attackers are indeed finding ways around the newest security controls in Adobe and other apps to sneak in and stay under the radar. The use of evasive code is becoming a regular occurrence for malware writers, and it is important for organizations to closely examine their current network security measures to ensure they discover these threats before it causes costly damage and theft, says Dr. Giovanni Vigna, founder and CTO of Lastline and director of the Cybersecurity Center at UC Santa Barbara.
Its been a rough week for Adobe: It had just issued
security updates for Flash Player, Shockwave Player, and AIR
on Tuesday.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
New Zero-Day Attacks Cheat Key Security Features In Adobe Reader, Acrobat