Adobe PDF exploits using signed certificates, bypasses ASLR/DEP

Adobe PDF exploits using signed certificates, bypasses ASLR/DEP

Summary: The zero-day attacks against Adobe PDF Reader/Acrobat includes the use of clever techniques to bypass anti-exploit roadblocks in Microsoft's newest operating systems and a signed digital certificate belonging to a U.S. credit union.

SHARE:

The zero-day attacks against Adobe PDF Reader/Acrobat includes the use of clever techniques to bypass anti-exploit roadblocks in Microsoft's newest operating systems and a signed digital certificate belonging to a U.S. credit union.

The attacks, which use booby-trapped PDF documents to exploit an unpatched vulnerability in Adobe Reader/Acrobat, first appeared as an e-mail attachment titled "Golf Clinic.pdf" that promises golf tips from instructor David Leadbetter.

New Adobe PDF zero-day under attack ]

follow Ryan Naraine on twitter If the target opened the document, the PDF file crashes before immediately opening a decoy file with the same name (in lower case) which gets dropped in user profile Application Data, according to Contagio Malware Dump, a site that tracks malicious spam and web activity.

A downloader file gets dropped  in user %tmp% directory downloads winhelp32.exe, which creates a connection to academyhouse.us.

According to Roel Schouwenberg, a senior virus researcher at Kaspersky Lab (important disclosure) , the exploit uses the ROP (return oriented programming) technique to bypass the ASLR and DEP mitigation technologies in Windows Vista and 7.

Dino Dai Zovi, a researcher who has publicly discussed details of return-oriented programming and the ways in which it can be used to exploit vulnerabilities, described the PDF attack as "pretty impressive" because of the complex techniques used to bypass Windows defenses.

Kaspersky's Schouwenberg also discovered that the malware attack drops a file that is digitally signed with a valid signature from Vantage Credit Union, a US-based Credit Union.

Schouwenberg writes:

This means that the cybercriminals must have got their hands on the private certificate. Remind you of anything? If you say Stuxnet (where compromised Realtek and JMicron certificates were used to sign files) then we're clearly thinking on the same lines.

It'll be interesting to see if Stuxnet has started a trend or if these cases are just a flukey coincidence. I suspect they're not - I think the use of valid, stolen certificates to sign malware will really take off in 2011.

Adobe has released an alert to confirm the vulnerability and active attacks and notes that there are no pre-partch mitigation guidance to thwart these attacks.

End users worried about falling victim to these attacks should consider using an alternative software product to view PDF files.

Topics: Malware, Microsoft, Operating Systems, Security, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

33 comments
Log in or register to join the discussion
  • I wouldn't be inclined to open a 'Golf Clinic' PDF anyway.

    ... new Milla Jovovich photos perhaps...
    HollywoodDog
  • I just opened up an Anna Kournikova pdf

    from a link I saw in my spam box :p and yep, was hit. :( Dammit, when will I learn?
    klumper
    • RE: Adobe PDF exploits using signed certificates, bypasses ASLR/DEP

      @klumper : When will you learn is right! It is ludicrous to even view the contents of a spam or any possibly malicious code. If you still cannot tell badmail from goodmail just by looking at the sender and subject lines, you need to get offline; you're a danger to yourself and to others.
      There are only 2 logical things to do with badmail; deliete it sight unseen, or learn how to report it safely and keep those slobs on the many blocklists around the world.

      I also see absolutely no reason for you to have posted your ignorance of the subject as you have just done; you'd be a lot better off spending the time learning how to avoid crap like that.
      anonymous
      • Wait till you see what I managed to do later

        @twaynesdomain

        Look below. :|

        Sometimes these cursed fingers of mine get a-clickin' and won't stop, like they're inhabited by tiny chupacabras. :(
        klumper
  • You have to be at least this smart to browse this web

    There is a key component that all systems have that continues to be shamefully exploited. The curiosity and naivety of general users.

    Back away from the that mouse button. Do not click on it.

    Just like your mama taught you. Do not talk to strangers.

    Do be clicking on no strange emails or pop-ups. Delete spam, ignore pop-ups no matter how interesting they look.

    Then, go check a legit source on a topic you need or want to read about.
    daniel.pereznet
    • RE: Adobe PDF exploits using signed certificates, bypasses ASLR/DEP

      @daniel.pereznet

      Funny, my mother didn't teach me that, because she knew that strangers were NOT the real danger but people who I was introduced to by her. Seriously, how often have you heard of a COMPLETE stranger snatching a child?

      Not often, it's usually someone with some kind of connection to the family, even if it's only meeting the person in question at a block party.
      Lerianis10
      • Illustrating the challenges from Social Media

        Thank you for illustrating the current threat dyanmics inherent from the growth of Social Media. Most of us learned these "don't follow links from strangers" lessons long ago on the internet. Then came the myriad of ways to stay connected from your friends. The threat vectors aren't just strangers anymore, and the badguys pose as our friends making users far more likely to trust something. Blaming the user isn't a panacea folks, since the threats have become more sophisticated, and less coarse and identifible each iteration.
        The solution is going to have to come in the form of offense soon, because reactive defense just isn't cutting it and software developers still code for security as an afterthought.

        Right now, I don't even want to touch any Adobe products after all these Flash and PDF vulnerabilities.
        danielb
    • Not always easy with so many appealing links

      @daniel.pereznet
      [i]Back away from the that mouse button. Do not click on it. [/i]

      Yeah, easy for you to say. You have self restraint. :|
      klumper
  • I think the real person to blame

    ...is the companies whose digital certificates are taken from. Clearly they aren't locking down systems that have access to the digital certificates in raw form.<br><br>It reminds me of the issues of hardware makers that include viruses on devices.<br><br>Companies should know better than to let Jim-Bob or Kim Dong have free access to the Internet on a business-critical machine that has no business with an Internet connection in the first place. They have to ask themselves: "do they need Internet access to do their job on this computer?". If the answer is no, cut the bloody cord! If the answer is "no, but [insert excuse here]", they need to step aside and hire someone that knows what they're doing in IT.
    Joe_Raby
    • RE: Adobe PDF exploits using signed certificates, bypasses ASLR/DEP

      @Joe_Raby

      Little problem: most of those people DO need internet access, so you cannot just 'cut the damned cord'..... for god's sake man, get REAL here and stop spouting bull!
      Lerianis10
      • RE: Adobe PDF exploits using signed certificates, bypasses ASLR/DEP

        @Lerianis10 /The only bull-spouting I've seen here is yours. Myopic narcissist comes to mind, in fact.
        anonymous
    • RE: Adobe PDF exploits using signed certificates, bypasses ASLR/DEP

      @Joe_Raby and the biggest offenders, are the execs and CEO's who don't want to follow security practices or have their computers restricted.

      Yeah, go tell 'em what's what, tough guy. Let me know how that works out for you...

      Why do you think the malicious pdf's were oriented at golfers, genius? Not the rank and file, in this economy.
      danielb
  • No worries here.

    Windows Folks must accept the fact that Windows security is broken.
    Windows offers no Linux LSM equivalent to protect users against unintended side-effects of 3rd-party Apps.

    Side-effects is a euphemism for exploits, folks.

    Anyone running Ubuntu 10.04 will be happy to know their default PDF viewer is Evince.<br><br>Just so happens, Ubuntu saw fit to place Evince in an AppArmor LSM profile.<br><br>So, Ubuntu lovers, no worries here.<br><br>Ubuntu Linux: The safest operating system on the planet.<br><br>I stake my reputation on it.
    Dietrich T. Schmitz, ~ Your Linux Advocate
    • As the Linux users discovered that their security

      was broken some time ago, so too have Windows users discovered the same thing.

      But then, data has shown that not many Linux users are golfers, so the exploit will not effect them as it will not be opened.
      :|
      Tim Cook
      • RE: Adobe PDF exploits using signed certificates, bypasses ASLR/DEP

        @Mister Spock<br> well said there sir
        security is broken as soon as a human writes the code. ignorant people are the third worst thing on the internet, beaten only by ignorant people who think they aren't, and trolls.
        DevonS
    • RE: Adobe PDF exploits using signed certificates, bypasses ASLR/DEP

      @Dietrich T. Schmitz, Your Linux Advocate <br><br>Lol... So ultimately, you're saying that Ubuntu offers an alternative to Adobe as a standard. Since Adobe isn't standard on MS, then Microsoft users should be happy to know there are a plethora of options for their PDF files! <br><br>Microsoft Windows...the most compatible Operating System around...<br><br>I stake Bill Gates' reputation as one of the richest men in the world on it! <img border="0" src="http://www.cnet.com/i/mb/emoticons/wink.gif" alt="wink"><br><br>Happy Posting!!
      GSystems
      • Missing the point

        @G-Systems <br>LSM was created to provide a mandatory access control system that not only polices the 'App' but also the 'kernel'.<br><br>Linux can't protect against unintended side-effects. It is LSM that provides the ability to profile any 3rd-party App to specify in a very fine granular way what actions are taken by the App and the kernel on behalf of the App.<br><br>There is no notion of an external LSM mechanism in Windows 7.<br><br>That leaves users and Admins with few or no options.<br>In this story the author concludes:<br><br>"End users worried about falling victim to these attacks should consider using an alternative software product to view PDF files."<br><br>That is not a security remedy. It is an admission to the fact that Windows does not offer an LSM equivalent to sandbox Apps.<br><br>Yet, Microsoft has seen fit to 'feather their own nest' in writing Office 2010 with sandboxing.<br><br>That is more than a bit troubling and if I were an Admin seeing these daily zero-day reports, I'd be asking why can't Microsoft provide a mechanism like LSM so we can at least sandbox our Apps.<br><br>That would alleviate the immediate need for continual fire drills to mitigate these zero-day threats, because with a well-defined LSM profile any unintended side-effect, e.g., exploit, is stopped cold. Admins and users alike using Ubuntu need not worry even if a zero-day defect is published or discovered because it will not have mattered with LSM profiles in place and the defects will be patched in due course by Canonical.<br><br>Therein lies the core difference between Windows and Linux LSM.<br><br>Be safe with Ubuntu Linux.<br>I stake my reputation on it.
        Dietrich T. Schmitz, ~ Your Linux Advocate
      • RE: Adobe PDF exploits using signed certificates, bypasses ASLR/DEP

        @G-Systems
        I think you are forgetting the fact that the first choice Windows user get when they need to open a *.pdf, is Adobes reader.
        Other than that; you are right : there are safer readers for Windows.
        hkommedal
    • RE: Adobe PDF exploits using signed certificates, bypasses ASLR/DEP

      @Dietrich T. Schmitz, Your Linux Advocate
      Shut up, will you? if you can't afford Windows then stick with that ugly piece of Linux crap
      shellcodes_coder
      • RE: Adobe PDF exploits using signed certificates, bypasses ASLR/DEP

        @shellcodes_coder
        Is that the best you can offer? I can afford Windows, but I run it as a VM on a base system of Ubuntu, and it runs in 'immutable' mode.

        You can draw your own conclusions from that.
        Try though to step back and be objective. Personalizations only diminish your position.
        Dietrich T. Schmitz, ~ Your Linux Advocate