Adobe PDF exploits using signed certificates, bypasses ASLR/DEP
Summary: The zero-day attacks against Adobe PDF Reader/Acrobat includes the use of clever techniques to bypass anti-exploit roadblocks in Microsoft's newest operating systems and a signed digital certificate belonging to a U.S. credit union.
The zero-day attacks against Adobe PDF Reader/Acrobat includes the use of clever techniques to bypass anti-exploit roadblocks in Microsoft's newest operating systems and a signed digital certificate belonging to a U.S. credit union.
The attacks, which use booby-trapped PDF documents to exploit an unpatched vulnerability in Adobe Reader/Acrobat, first appeared as an e-mail attachment titled "Golf Clinic.pdf" that promises golf tips from instructor David Leadbetter.
[ New Adobe PDF zero-day under attack ]
If the target opened the document, the PDF file crashes before immediately opening a decoy file with the same name (in lower case) which gets dropped in user profile Application Data, according to Contagio Malware Dump, a site that tracks malicious spam and web activity.
A downloader file gets dropped in user %tmp% directory downloads winhelp32.exe, which creates a connection to academyhouse.us.
According to Roel Schouwenberg, a senior virus researcher at Kaspersky Lab (important disclosure) , the exploit uses the ROP (return oriented programming) technique to bypass the ASLR and DEP mitigation technologies in Windows Vista and 7.
Dino Dai Zovi, a researcher who has publicly discussed details of return-oriented programming and the ways in which it can be used to exploit vulnerabilities, described the PDF attack as "pretty impressive" because of the complex techniques used to bypass Windows defenses.
Kaspersky's Schouwenberg also discovered that the malware attack drops a file that is digitally signed with a valid signature from Vantage Credit Union, a US-based Credit Union.
Schouwenberg writes:
This means that the cybercriminals must have got their hands on the private certificate. Remind you of anything? If you say Stuxnet (where compromised Realtek and JMicron certificates were used to sign files) then we're clearly thinking on the same lines.
It'll be interesting to see if Stuxnet has started a trend or if these cases are just a flukey coincidence. I suspect they're not - I think the use of valid, stolen certificates to sign malware will really take off in 2011.
Adobe has released an alert to confirm the vulnerability and active attacks and notes that there are no pre-partch mitigation guidance to thwart these attacks.
End users worried about falling victim to these attacks should consider using an alternative software product to view PDF files.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
I wouldn't be inclined to open a 'Golf Clinic' PDF anyway.
I just opened up an Anna Kournikova pdf
RE: Adobe PDF exploits using signed certificates, bypasses ASLR/DEP
There are only 2 logical things to do with badmail; deliete it sight unseen, or learn how to report it safely and keep those slobs on the many blocklists around the world.
I also see absolutely no reason for you to have posted your ignorance of the subject as you have just done; you'd be a lot better off spending the time learning how to avoid crap like that.
Wait till you see what I managed to do later
Look below. :|
Sometimes these cursed fingers of mine get a-clickin' and won't stop, like they're inhabited by tiny chupacabras. :(
You have to be at least this smart to browse this web
Back away from the that mouse button. Do not click on it.
Just like your mama taught you. Do not talk to strangers.
Do be clicking on no strange emails or pop-ups. Delete spam, ignore pop-ups no matter how interesting they look.
Then, go check a legit source on a topic you need or want to read about.
RE: Adobe PDF exploits using signed certificates, bypasses ASLR/DEP
Funny, my mother didn't teach me that, because she knew that strangers were NOT the real danger but people who I was introduced to by her. Seriously, how often have you heard of a COMPLETE stranger snatching a child?
Not often, it's usually someone with some kind of connection to the family, even if it's only meeting the person in question at a block party.
Illustrating the challenges from Social Media
The solution is going to have to come in the form of offense soon, because reactive defense just isn't cutting it and software developers still code for security as an afterthought.
Right now, I don't even want to touch any Adobe products after all these Flash and PDF vulnerabilities.
Not always easy with so many appealing links
[i]Back away from the that mouse button. Do not click on it. [/i]
Yeah, easy for you to say. You have self restraint. :|
I think the real person to blame
RE: Adobe PDF exploits using signed certificates, bypasses ASLR/DEP
Little problem: most of those people DO need internet access, so you cannot just 'cut the damned cord'..... for god's sake man, get REAL here and stop spouting bull!
RE: Adobe PDF exploits using signed certificates, bypasses ASLR/DEP
RE: Adobe PDF exploits using signed certificates, bypasses ASLR/DEP
Yeah, go tell 'em what's what, tough guy. Let me know how that works out for you...
Why do you think the malicious pdf's were oriented at golfers, genius? Not the rank and file, in this economy.
No worries here.
Windows offers no Linux LSM equivalent to protect users against unintended side-effects of 3rd-party Apps.
Side-effects is a euphemism for exploits, folks.
Anyone running Ubuntu 10.04 will be happy to know their default PDF viewer is Evince.<br><br>Just so happens, Ubuntu saw fit to place Evince in an AppArmor LSM profile.<br><br>So, Ubuntu lovers, no worries here.<br><br>Ubuntu Linux: The safest operating system on the planet.<br><br>I stake my reputation on it.
As the Linux users discovered that their security
But then, data has shown that not many Linux users are golfers, so the exploit will not effect them as it will not be opened.
:|
RE: Adobe PDF exploits using signed certificates, bypasses ASLR/DEP
security is broken as soon as a human writes the code. ignorant people are the third worst thing on the internet, beaten only by ignorant people who think they aren't, and trolls.
RE: Adobe PDF exploits using signed certificates, bypasses ASLR/DEP
Missing the point
RE: Adobe PDF exploits using signed certificates, bypasses ASLR/DEP
I think you are forgetting the fact that the first choice Windows user get when they need to open a *.pdf, is Adobes reader.
Other than that; you are right : there are safer readers for Windows.
RE: Adobe PDF exploits using signed certificates, bypasses ASLR/DEP
Shut up, will you? if you can't afford Windows then stick with that ugly piece of Linux crap
RE: Adobe PDF exploits using signed certificates, bypasses ASLR/DEP
Is that the best you can offer? I can afford Windows, but I run it as a VM on a base system of Ubuntu, and it runs in 'immutable' mode.
You can draw your own conclusions from that.
Try though to step back and be objective. Personalizations only diminish your position.