Zero-day PDF exploit affects Adobe Reader 11 and earlier versions, researchers say

Adobe is investigating the report, but has yet to confirm that the exploit bypasses the sandbox protection in Adobe Reader 10 and 11

Researchers from security firm FireEye claim that attackers are actively using a remote code execution exploit that works against the latest versions of Adobe Reader 9, 10 and 11.

"Today, we identified that a PDF zero-day [vulnerability] is being exploited in the wild, and we observed successful exploitation on the latest Adobe PDF Reader 9.5.3, 10.1.5, and 11.0.1," the FireEye researchers said late Tuesday in a blog post.

The exploit drops and loads two DLL files on the system. One file displays a bogus error message and opens a PDF document that's used as a decoy, the FireEye researchers said.

Remote code execution exploits regularly cause the targeted programs to crash. In this context, the fake error message and second document are most likely used to trick users into believing that the crash was the result of a simple malfunction and the program recovered successfully.

Meanwhile, the second DLL installs a malicious component that calls back to a remote domain, the FireEye researchers said.

It's not clear how the PDF exploit is being delivered in the first place -- via email or over the Web -- or who were the targets of the attacks using it. FireEye did not immediately respond to a request for additional information sent Wednesday.

"We have already submitted the sample to the Adobe security team," the FireEye researchers said in the blog post. "Before we get confirmation from Adobe and a mitigation plan is available, we suggest that you not open any unknown PDF files."

The Adobe Product Security Incident Response Team (PSIRT) confirmed Tuesday in a blog post that it is investigating a report of a vulnerability in Adobe Reader and Acrobat XI (11.0.1) and earlier versions being exploiting in the wild. The risk to customers is being assessed, the team said.

In response to a request for a status update sent Wednesday, Heather Edell, Adobe's senior manager of corporate communications, said that the company is still investigating.

Sandboxing is an anti-exploitation technique that isolates a program's sensitive operations in a strictly controlled environment in order to prevent attackers from writing and executing malicious code on the underlying system even after exploiting a traditional remote code execution vulnerability in the program's code.

A successful exploit against a sandboxed program would have to leverage multiple vulnerabilities, including one that allows the exploit to escape from the sandbox. Such sandbox bypass vulnerabilities are rare, because the code that implements the actual sandbox is usually carefully reviewed and is fairly small in length compared to the program's overall codebase that could contain vulnerabilities.

Adobe added a sandbox mechanism to isolate write operations called Protected Mode in Adobe Reader 10. The sandbox was further expanded to cover read-only operations as well in Adobe Reader 11, through a second mechanism called Protected View.

Back in November, security researchers from Russian security firm Group-IB reported that an exploit for Adobe Reader 10 and 11 was being sold on cybercriminal forums for between US$30,000 and $50,000. The exploit's existence was not confirmed by Adobe at the time.

"Before the introduction of the sandbox, Adobe Reader was one of the most targeted third-party applications by cybercriminals," Bogdan Botezatu, a senior e-threat analyst at antivirus vendor BitDefender, said Wednesday via email. "If this is confirmed, the discovery of a hole in the sandbox will be of crucial importance and will definitely become massively exploited by cybercriminals."

Botezatu believes that bypassing the Adobe Reader sandbox is a difficult task, but he expected this to happen at some point because the large number of Adobe Reader installations makes the product an attractive target for cybercriminals. "No matter how much companies invest in testing, they still can't ensure that their applications are bug free when deployed on production machines," he said.

Unfortunately Adobe Reader users don't have many options to protect themselves if a sandbox bypassing exploit actually exists, except for being extremely careful of what files and links they open, Botezatu said. Users should update their installations as soon as a patch becomes available, he said.

Join the CSO newsletter!

Error: Please check your email address.

Tags Group-IBonline safetysecurityadobeFireEyeDesktop securityExploits / vulnerabilitiesmalwarebitdefenderintrusion

More about Adobe SystemsBitDefenderFireEye

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place