RSS Alerts

Share

More services

Related Links

Related Stories

  • Adobe admits to another PDF security vulnerability
    Adobe has announced its latest zero-day security vulnerability in what has become a litany of such flaws this year - and this one won't be patched until halfway through January.
  • Adobe Reader struck by yet another zero-day security flaw
    Adobe is warning that a critical security vulnerability in its Adobe Reader and Acrobat programs are being exploited in the wild.
  • Adobe Reader hit by more zero-day flaws
    Two more zero-day flaws have been found in Adobe Reader that could lead to users' machines being compromised.
  • The battle of the internet browsers
    Browsers are the hackers’ window into your PC – but how are they compromised, and what are vendors doing to harden them? Danny Bradbury examines the techniques vendors are employing, and why user education is one of the primary solutions for increased security
  • Battle of the Internet Browsers
    Browsers are the hacker’s window into your PC – but how are they compromised, and what are vendors doing to harden them? Danny Bradbury examines the techniques vendors are employing, and looks at why user education is one of the primary solutions for increased security

Top 5 Stories

News

Sophisticated zero-day hits Adobe Reader

05 January 2010

More details are emerging of a zero-day attack on Adobe's PDF reader and Acrobat applications, and security experts are calling it highly sophisticated. Moreover, anti-malware tools have been woefully poor at spotting it.

The zero day attack exploits the CVE-2009-4324 vulnerability, which was first confirmed by Adobe on December 15, and for which no patch is yet available.

CVE-2009-4324 is a vulnerability in the Doc.media.newPlayer method in Adobe Reader and Acrobat that lets attackers execute arbitrary code via a malicious PDF file. The SANS Institute analyzed a malicious PDF sent to it by a reader, implementing the zero-day attack, and found that only six out of 40 antivirus vendors detected the exploit.

The PDF implementing the zero-day attack uses two pieces of shell code to help avoid detection. The first uses an 'egg hunting' technique to look for a specific set of instructions in memory that can be used to pass execution to a second piece of shell code, which is included as a separate binary object in the PDF document.

The two-stage attack carries a dual benefit for the implementer of the zero-day exploit, explained SANS researcher Bojan Zdrnja. Firstly, it enables the attacker to change the second shell code without altering the first. "Additionally, this will make automatic analysis impossible for any tool using a JavaScript interpreter on the included JavaScript code," he said. This is because the document has to be loaded in memory for the first stage of shell code to work.

The second stage shell code included in the zero-day attack installs the PoisonIvy client, a remote administration utility that will give attackers a back door into the compromised machine. It also attempts to cover its tracks by opening a benign PDF on the victim's machine, to hide the fact that it has crashed Adobe Reader.

Adobe has pledged to patch the vulnerability on January 12th, giving the zero-day attack at least another week to spread -- and probably far longer, if users do not update their systems.

Turning off JavaScript would be one way to avoid the attack, but according to an interview conducted by ThreatPost, Adobe security chief Brad Arkin advises users to think carefully before disabling the functionality. "If you were to disable JavaScript altogether, that would disrupt a lot of things," he said.
 

This article is featured in:
Application Security • Internet and Network Security • Malware and Hardware Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012