Sophos Cloud Optix
A Russian security company has found a zero-day vulnerability in the latest versions of Adobe’s PDF reader software that’s fetching between $30K and $50K on the black market.
The exploit, is reportedly being used to install banking malware, is also packaged up in the new version of the Blackhole Exploit Kit, used to distribute the banking Trojans Zeus, Spyeye, Carberp, and Citadel.
That could turn a big problem into a bigger and more widespread one. As it is, notes KrebsonSecurity, Blackhole is currently the most prevalent exploit kit in use.
The security firm, Group-IB announced the vulnerability on Wednesday.
The researchers said that the vulnerability is able to get around the built-in sandboxing protection that Adobe added to its Reader application with the release of version X (version 10) in July, in an attempt to keep potentially malicious PDF files at arm’s distance from the operating system by running them in a confined environment.
Andrey Komarov, the Head of International Projects Department at Group-IB, said in the announcement that the vulnerability has great appeal for cybercriminals, given that it’s the first time they’ve found a way to bypass Adobe X’s sandbox, which is also built into the latest Adobe Reader XI (version 11):
"[It's a] very significant vector to be spread with bypassing of internal Adobe X sandbox, which is appealing for cybercrime gangs because in the past there was no documented method of how to bypass it with shellcode execution."
One factor that could mitigate the seriousness of the zero-day is that the vulnerability can only be successfully exploited after a user closes and restarts the browser.
Another way to exploit the vulnerability, Komarov said, is to trick a victim into opening a malformed PDF document.
The Russian firm produced this video, which, according to Brian Krebs, the researchers say demonstrates a sanitized version of the attack.
So far, Group-IB has only seen the attack work against Microsoft Windows installations of Adobe Reader, Krebs reports.
Adobe spokeswoman Wiebke Lips told SC Magazine that the company had reached out to the researchers but hadn’t heard back as of Wednesday evening and was waiting for more details before deciding how to respond:
"We saw the announcement from Group IB, but we haven't seen or received any details. Adobe PSIRT (Product Security Incident Response Team) has reached out to Group-IB, but we have not yet heard back. Without additional details, there is nothing we can do, unfortunately - beyond continuing to monitor the threat landscape and working with our partners in the security community, as always."
Adobe hadn’t responded to my request for an update or with advice for how to mitigate the danger by the time this posted.
This time around, Adobe obviously can’t rely on sandboxing to keep users safe while it postpones a fix. Hopefully, they’ll get details soon and get an emergency fix out ASAP.
In the meantime, avoid opening unsolicited PDFs.
Hi everyone,
There is quite a lot of very good advice in the comments section of the Brian Krebs’ article (Krebs on Security) linked to above about how to reduce your chances of being affected by a PDF exploit.
The advice isn’t specific to this particular exploit but it will make the job of this exploit (and most other PDF exploits) in compromising your computer much harder.
I consider the information that was generously provided by those commenters very good advice. I also made some minor contributions to the very solid advice given.
Any advice that Sophos receive from Adobe would also be very much appreciated. Many thanks to Lisa for requesting this from Adobe.
I hope this helps. Thank you.
Thanks so much for pointing us to Brian's comments section for advice. Adobe did get back to me yesterday afternoon, saying that they couldn't really give any, until they determined the nature of the vulnerability.
Thanks for the update Lisa.
Does anyone know if STDU Viewer is free from malware vulnerabilities? I have read that it's a safe alternative to Adobe Reader for now.
Hi Steve K,
According to Symantec Securityfocus ( http://www.secuirtyfocus.com/bid) and Secunia ( http://secunia.com/advisories/product/SOFT_S/#lis… )
There is only 1 security vulnerability in STDU Explorer. Both Securityfocus and Secunia confirm that this vulnerability was not fixed:
http://www.securityfocus.com/bid/44128/solution
http://secunia.com/advisories/product/32678/
There are no known vulnerabilities in STDU Viewer (http://stdutility.com/ ). Please check the above websites approximately every 2 weeks to determine if any security advisories are published for STDU Viewer. In addition, always use the most recent version of STDU Viewer as more recent versions may include security fixes.
If you think that this application requires further protection from threats, you could also do the following:
Run the application in a limited (standard) user account of Windows. A similar effect is achieved by using UAC with an administrator account (but this is slightly less effective).
Apply the mitigations of Microsoft EMET ( http://support.microsoft.com/kb/2458544 ) to STDU Viewer. Microsoft EMET 3.0 is the officially supported version but there is a Technical Preview of EMET version 3.5 available. EMET 3.5 is not supported yet.
Further information about EMET is available from:
http://blogs.technet.com/b/srd/archive/2012/05/15…
IMPORTANT NOTE: Microsoft EMET’s mitigations are not guaranteed to be compatible with every application. Thorough testing of the effect of such mitigations is always recommended. Please read the User Guide that is included with Microsoft EMET before applying any mitigations (this guide is included as a PDF within the Microsoft EMET installation folder (you are able to choose where this folder is placed during installation)).
If you require support with Microsoft EMET, please visit the EMET support forum:
http://social.technet.microsoft.com/Forums/en/eme…
Please note that support is provided on a best effort basis.
You could also use the free readers that Brian Krebs mentions in his blog post (linked to in the above blog post from Sophos) i.e. Foxit Reader, PDF-Xchange Viewer, Nitro PDF and Sumatra PDF.
I hope the above information is of assistance to you. If I can be of any further assistance, please let me know. Thank you.