Adobe confirms Reader flaws targeted in 'Turkey visa' PDF zero-day attacks

Adobe confirms Reader flaws targeted in 'Turkey visa' PDF zero-day attacks

Summary: Attacks on Adobe Reader are a truly European affair with Italian JavaScript, Spanish domains and Irish IP servers.

SHARE:
TOPICS: Security
2

Adobe has confirmed there are two previously undocumented flaws in the latest updates of its PDF products Adobe Reader and Acrobat that hackers were exploiting with a Turkish visa form.

The two vulnerabilities (CVE-2013-0640, CVE-2013-0641) affect Adobe Reader and Acrobat XI (11.0.01), X (10.1.5) and 9.5.3 and earlier for Windows and Mac, Adobe said in an advisory on Wednesday.

Adobe said the targeted attacks were designed to trick Windows users into clicking on emailed malicious PDF attachments, however the flaws affect the products for OS X systems as well. The company is working on a fix, it said.

At present there are few clues to who the attackers are. However, details provided to ZDNet from FireEye, the security firm that discovered the Adobe Reader and Acrobat exploits this week, suggest it is a European campaign aimed at would-be travellers to Turkey — a popular holiday spot for Europeans seeking winter sun.

A FireEye spokesperson told ZDNet on Thursday that the lure was PDF file labeled "Visaform Turkey.pdf", which is required by all foreign travellers to the country.

The callback from infected machines reveal that malware is communicating with a Spanish domain hosted on Irish IP servers while the JavaScript embedded in the maliciously crafted PDF is written in Italian.

FireEye has released an updated technical report here, detailing how the exploit circumvents some of the anti-exploitation technologies, such as sandboxing, that Adobe has been building into Reader and Acrobat X and XI.

It appears that security hardening measures Adobe introduced through "Protected View" in Reader and Acrobat XI to prevent such exploits will stop the exploit being used. Protected View was one of the main features Adobe touted at the product's release last year, however Adobe said in its advisory that users will need to manually enable it for the protective measure to actually work. 

"Enterprise administrators can protect Windows users across their organization by enabling Protected View in the registry and propagating that setting via GPO or any other method," the software company added.

Besides this option, users could install alternative readers, such as (via CNET) Foxit, PDF-Xchange Viewer, Sumatra and Nitro among others.

Topic: Security

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

2 comments
Log in or register to join the discussion
  • Just An Opinion, But...

    If the intent of the exploit is to trick people into doing stuff, why can't they be tricked on the alternatives?
    eargasm
  • As usual, carelessness increases risk

    If one receives an unsolicited mail from an untrusted source, the careful thing is always to ignore / delete it. Surely a proper visa form is accessible by visiting a web site, as opposed to receiving it in an apparently random email.
    Willnott