Active Exploitation Of Unpatched PDF Vulnerability

Outsmart Malicious Hackers


Fairly wide-spread attacks based on the latest vulnerability in Adobe PDF Reader have been spotted by Symantec, they appear to be variants on old attacks but still can be very effective.

It’s not the first time this has happened, back in February 2009 Hackers targeted a 0-day exploit in PDF Reader.

With one variant of this current attack seeing 34,000 detections on Symantec’s network alone, it could be considered fairly widespread.

A week before Adobe is scheduled to patch a critical vulnerability in its popular PDF software, hackers are actively exploiting the bug with both targeted and large-scale attacks, a security researcher said today.

The SANS Institute’s Internet Storm Center (ISC) reported Monday that they’d received samples of a new rigged PDF document that hijacked PCs using a bug Adobe acknowledged Dec. 14 . Later last month, Adobe said it would not patch the bug until Jan. 12. In his write-up of the sample, ISC analyst Bojan Zdrnja called the attack PDF “sophisticated” and its use of egg-hunt shellcode “sneaky.”

“Egg-hunt shellcode” is a term for a multi-stage payload used when the hacker can’t determine where in a process’ address space the code will end up.

Today, Joshua Talbot, security intelligence manager at Symantec, confirmed that the malicious PDF exploited the Adobe Reader and Acrobat vulnerability, but unlike Zdrnja, said it wasn’t out of the ordinary. “It’s not particularly novel or sophisticated,” Talbot said.

It seems the solution is the same as it has always been, disable JavaScript support in PDF Reader. But honestly, how many non-tech savvy users will do that? Or even know HOW to do that?

Mine recommendation of course is always to use Foxit PDF Reader and avoid these issues all together.

Which I have of course recommended since 2008 back when Adobe PDF Reader was getting pwned 2 years ago.

All the maker of the recently-discovered exploit did, Talbot added, was take code published in a 2004 research paper and make minor modifications. “These techniques aren’t new or clever, but the same things that all attackers are doing,” Talbot argued.

Although the malicious PDF described by ISC has been seen in only limited numbers — designed for high-profile targets, such as company executives or personnel with access to network passwords — Symantec has monitored bigger attacks exploiting the PDF bug. One attack generated more than 34,000 detections on Symantec’s global detection network, peaking on Dec. 31 before falling sharply.

“We’re definitely seeing activity out there, since the vulnerability is unpatched,” said Talbot. When asked to put that attack on the size scale, Talbot answered, “That puts it in the class of being actively exploited. It shows that there’s both going on … that attackers are crafting one-off exploits for their own purposes, and that there are people who are trying to distribute exploits to as many people as possible.”

Hopefully Adobe will pull the patch forward seen as though this is being actively exploited and push the patch out to users ASAP.

It’s currently stated that Adobe will release the patch on January 12th at their support site, which thankfully isn’t too far off.

Perhaps they take testing seriously so their patch cycle will naturally be delayed.

Source: Network World

Posted in: Exploits/Vulnerabilities

, , , , , ,


Latest Posts:


StaCoAn - Mobile App Static Analysis Tool StaCoAn – Mobile App Static Analysis Tool
StaCoAn is a cross-platform tool which aids developers, bug bounty hunters and ethical hackers performing mobile app static analysis on the code of the application for both native Android and iOS applications.
snallygaster - Scan For Secret Files On HTTP Servers snallygaster – Scan For Secret Files On HTTP Servers
snallygaster is a Python-based tool that can help you to scan for secret files on HTTP servers, files that are accessible that shouldn't be public and can pose a s
Portspoof - Spoof All Ports Open & Emulate Valid Services Portspoof – Spoof All Ports Open & Emulate Valid Services
The primary goal of the Portspoof program is to enhance your system security through a set of new camouflage techniques which spoof all ports open and also emulate valid services on every port.
Cambridge Analytica Facebook Data Scandal Cambridge Analytica Facebook Data Scandal
One of the biggest stories of the year so far has been the scandal surrounding Cambridge Analytica that came out after a Channel 4 expose that demonstrated the depths they are willing to go to profile voters, manipulate elections and much more.
GetAltName - Discover Sub-Domains From SSL Certificates GetAltName – Discover Sub-Domains From SSL Certificates
GetAltName it's a little script to discover sub-domains that can extract Subject Alt Names for SSL Certificates directly from HTTPS websites which can provide you with DNS names or virtual servers.
Memcrashed - Memcached DDoS Exploit Tool Memcrashed – Memcached DDoS Exploit Tool
Memcrashed is a Memcached DDoS exploit tool written in Python that allows you to send forged UDP packets to a list of Memcached servers obtained from Shodan.


One Response to Active Exploitation Of Unpatched PDF Vulnerability

  1. Morgan Storey January 21, 2010 at 10:19 am #

    Problem with Foxit is one of those javascript vulnerabilities a while ago could also work in foxit, and foxit has had its own vuln’s.
    PDF has flaws from its very nature, why do we need a turing complete language with a hugely extensible framework for portable documents.
    Acrobat needs a better patching method, but the real fix is a document format that isn’t flexible, that simply displays text and images, maybe an existing format could work html and png packaged up in a gzip