Rigged PDFs exploiting just-patched Adobe Reader flaw

Rigged PDFs exploiting just-patched Adobe Reader flaw

Summary: Just three days after Adobe shipped a patch with fixes for a critical Adobe Reader vulnerability, hackers are using booby-trapped PDF files to fire exploits against Windows users.[ SEE: Heads up: Patch your Adobe Reader now ]The in-the-wild attacks, first spotted by the SANS Internet Storm Center, follows the public release of proof-of-concept exploits at Milw0rm.

SHARE:

Rigged PDFs exploiting just-patched Adobe Reader flawJust three days after Adobe shipped a patch with fixes for a critical Adobe Reader vulnerability, hackers are using booby-trapped PDF files to fire exploits against Windows users.

[ SEE: Heads up: Patch your Adobe Reader now ]

The in-the-wild attacks, first spotted by the SANS Internet Storm Center, follows the public release of proof-of-concept exploits at Milw0rm.com and underscores the importance of quickly patching third-party desktop applications.

I have seen a sample of one of the rigged PDF files in circulation and can confirm it is indeed exploiting the CVE-2008-2992 vulnerability, which is a stack-based buffer overflow in Adobe Acrobat and Reader 8.1.2 and earlier.   It allows remote attackers to execute arbitrary code via a PDF file that calls the util.printf JavaScript function with a crafted format string argument.

From the SANS ISC alert:

The payload is in a JavaScript object embedded in the PDF document. Once extracted, it just contains first level obfuscation with a simple eval(unescape()) call.

Once deobfuscated, parts of the publicly posted PoC are visible, but the attackers also modified certain parts.

Adobe Reader is one of the most widely distributed pieces of software on the Windows ecosystem to the application of this patch should be an absolute priority.

The updates are available at: http://www.adobe.com/support/downloads/detail.jsp?ftpID=4084 (Windows), http://www.adobe.com/support/downloads/detail.jsp?ftpID=4093 (Mac), http://www.adobe.com/support/downloads/detail.jsp?ftpID=4094 (Linux/Solaris).

Topics: Security, Enterprise Software, Operating Systems, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

28 comments
Log in or register to join the discussion
  • Another reader?

    Not very practical for many, I know, but Adobe's bloated reader isn't svelte and efficient like Foxit Reader, or others out there. Switch to another reader.
    It's time for Adobe to look at themselves in the mirror and decide to embrace quality programming and go on a diet, for their survival and to avoid gaining the ire of the worldwide user community.
    Gary1218
    • Another reader?

      Amen.
      qlas
      • It's Not Going to Happen

        The Adobe Reader is a free tool that enables the user to read files produced by Adobe products. It is free because no one would buy those products if what they produced was not readable by the audience to whom they are directed.

        Adobe documents now contain audio-clips, animation, streaming video, 3D; and users of the technology of taking immediate advantage of all these features.

        But the earlier Adobe Readers are still out there. If someone doesn't want the ability to read current Adobe documents, he or she should be able to find an Adobe Reader 4 out there, which is a small file and takes little headroom. And, who knows, there might actually be one or two things out there it can still read.
        mijcar
        • Bollocks

          "The Adobe Reader is a free tool that enables the user to read files produced by Adobe products."

          Wrong.
          The Adobe Reader is a free tool that enables the user to read PDF files, produced by MANY DIFFERENT PRODUCTS.

          Adobe has championed PDF as a format, not just a product, for years. Suddenly deciding now that PDF is an Adobe-only format is stupid.

          "Adobe documents now contain audio-clips, animation, streaming video, 3D;"

          A very very tiny fraction of PDFs contain this utterly useless garbage. The VAST majority do not.

          "and users of the technology of taking immediate advantage of all these features."

          Anyone who thinks this cruft is an essential part of a typical PDF document is clueless.

          "If someone doesn't want the ability to read current Adobe documents, he or she should be able to find an Adobe Reader 4 out there, which is a small file and takes little headroom. And, who knows, there might actually be one or two things out there it can still read."

          In other words, you propose a solution that you KNOW is absolutely worthless. Thanks so very much.
          bmerc
    • Duh

      This a tech related website. Everybody here already
      knows not to use IE/Adobe reader/etc.

      Find a more luddite-based forum and give this info
      there, where it's needed.
      AzuMao
      • Wow!

        I admit it isn't hard to find folks with their heads in the sand ... but they're usually Vista marketing folks. Very odd to find them here in ZDNet.

        All kidding aside ...

        I am curious as to what universal format that AzuMao and friends would suggest we all use to share documents. Proprietary M$ DOC or XML format-de-jour maybe? Or maybe multi-gigabyte TIF files? Or maybe some obscure format that only penquins speak? How about a picture-based language like Chinese? Instead of 256 characters (essentially), perhaps you would prefer the 6000-7000 picture "characters" that a well-educated Chinaman recognizes?

        Adobe may be well on their way to screwing up a good thing but it is still ... much like the USA ... the best thing going.

        Perhaps you don't understand Luddites. I'm guessing that no Luddite in his right mind goes anywhere near PDF files. They actually like to file good old paper in drawers.
        ttocsmij
    • Another reader... not only!

      Better change to an Open Source product and doc
      standard as odf.
      This makes things more secure due to the fact
      millions of developers control the programs you
      use.
      tumblemumble
    • Hit the nail on the head

      I have been dealing with this bloated Adobe REader version 8.0 since it came out. Thank god I kept my Version 7.0 and refused the updates. The last good Adobe Reader version was 5.0. It was sleek and still had great features.

      I advise my users to avoid Adobe 8.0 Reader like the plague as it has had obvious memory leaks since it was released and is quite bloated. Doesnt seem to play well with others.

      I've tried using Foxit, crap. Dig out your old Adobe 5.0 and enjoy.
      seanka@...
  • I don't use Adobe Reader.

    I use KPDF. I like it much better. It's lighter, faster and doesn't get in my way. Open Source is like Teflon to malware. Not impervious, just slick.
    kozmcrae
    • Thank you, kozmcrae,

      for offering this useful alternative available to our Linux / Unix friends. Further details:

      http://kpdf.kde.org/
      http://en.wikipedia.org/wiki/KPDF
      http://www.kde.org/
      http://en.wikipedia.org/wiki/K_Desktop_Environment
      ttocsmij
      • kpdf

        Changing to (Open Office'sand the like) odf ISO
        standard for documents is even better.
        So change to another reader, don't pay even for
        the related writers and use an affirmed open
        document format.

        It will cost you nothing and you'll be sure to
        have millions developers controlling the
        security and quality of the applications you
        use, for nothing.
        tumblemumble
  • RE: Rigged PDFs exploiting just-patched Adobe Reader flaw

    Who can you trust these days? Not Microsoft, not Adobe...WHO?
    rathersailawa@...
  • let's live in the real world, shall we?

    - this problem and patch for the _last_ Reader and
    Acrobat. If you've gone to Reader 9 after it was
    offered months ago, you have no problem it appears.

    - The real issue is probably those of us who may have
    Reader 9, but also have Acrobat 8, from a suite or
    other purchase. So, Adobe is being responsible,
    giving a proper term of support.

    I really wonder what those writing here want
    sometimes. A highly organized criminal network
    employs talent to attack anything which can give them
    a return, and perhaps publicity. You think any
    software producer they choose to look at is going to
    be invulnerable? This is not good sense if so.

    Regards,
    Narr Vi
    Narr vi
    • Reader 9 is a pig

      Have you checked the system requirements for Adobe Reader 9? A lot of people on older machines don't have the CPU to run it! It takes bloat to a whole new level.
      Greenknight_z
      • Look at the increasing bloat per version

        I agree. Below are the abbreviated system requirements for the latest three versions. Even the earlier versions were bloated for their time periods.

        Adobe Reader 7.1.0 system requirements - Windows - 2005
        * Intel Pentium or equivalent processor
        * 128MB of RAM (256MB recommended for complex forms or large documents)
        * Up to 90MB of available hard-disk space

        Adobe Reader 8.1.3 system requirements - Windows - 2006
        * Intel Pentium? III or equivalent processor
        * 128MB of RAM (256MB recommended for complex forms or large documents)
        * 170MB of available hard-disk space

        Adobe Reader 9 system requirements - Windows - 2008
        * Intel? 1.3 GHz processor
        * 128MB of RAM (256MB recommended)
        * 335MB of available hard disk space

        Look at the progression of processor power and disk space needed. The only thing that has remained stable is the memory requirement. The available hard disk space almost doubled between each release. With all these extra lines of code, who knows how many more potential security holes were introduced.
        mystic100
  • Adobe, give users a simple reader

    I remember the earlier versions of Adobe Reader being smaller, quicker loading, and well suited for reading documents on the web and light corporate use. Since then, Adobe Reader has become so bloated, using scripting (using Javascript, ActiveX, etc.), and other feature creep. As a result, there are more attack vectors. I would like Adobe to produce a very simple reader that most users could use to read content on the web with more safety. Adobe could also produce their bloated full function reader for users who really need it.
    mystic100
  • RE: Rigged PDFs exploiting just-patched Adobe Reader flaw

    users need to get educated about alternatives to mainstream, exploitable and proprietary applications.

    acrobat reader is just way too bloated and sluggish. foxit reader is lighter and does the job. and there are many more open source alternatives out there.
    quigonz
    • same problem?

      Do other solutions (ie, Foxit, etc) suffer the same ills as Reader when it comes to this exploit, for example? It is a shame that Adobe got caught up in the sense-less blind rush to cast binary code aside in favor of bloated high-level languages (likely encouraged by M$) but are the alternatives any safer? Just curious.
      ttocsmij
  • Apps Like This May Always be Attack Vectors

    Any application that interacts with the outside world via communication/application protocols or processing files may have one or more programming mistakes that enable attackers to implant malware and/or steal information from PCs. One never knows if or when there will be another vulnerability that must be patched.

    There are many security tools, many freeware, that prevent such attacks without relying on signatures, which are losing the war to malware-makers that alter their signatures as frequent as every 10 minutes. Check these blog posts out for more on that:

    http://www.securitynowblog.com/endpoint_security/signature-based-antivirus-and-hips-technologies-poor-endpoint-protection

    http://www.securitynowblog.com/endpoint_security/secunia_report_signature-based_antivirus_misses_most_unknown_malware

    If you haven't tried any of these freeware tools before, check out simple one to get a sense for what you can do:

    http://www.blueridgenetworks.com/solutions/edgeguardsolo/
    eiverson@...
  • Adobe isn't really helping.

    Adobe certainly doesn't help. Yes, they release fixes to the main software, but they don't patch the some software when it's a subcomponent. For example, Adobe Flash is a component of Adobe Air. According to Secunia, the NPSWF32.dll in the Adobe Air folder is still vulnerable. But the Adobe Flash patch doesn't touch that component. I've seen the same thing happen in the past with Adobe Acrobat components.
    mijcar