X
Tech

Rigged PDFs exploiting just-patched Adobe Reader flaw

Just three days after Adobe shipped a patch with fixes for a critical Adobe Reader vulnerability, hackers are using booby-trapped PDF files to fire exploits against Windows users.[ SEE: Heads up: Patch your Adobe Reader now ]The in-the-wild attacks, first spotted by the SANS Internet Storm Center, follows the public release of proof-of-concept exploits at Milw0rm.
Written by Ryan Naraine, Contributor
Rigged PDFs exploiting just-patched Adobe Reader flaw
Just three days after Adobe shipped a patch with fixes for a critical Adobe Reader vulnerability, hackers are using booby-trapped PDF files to fire exploits against Windows users.

[ SEE: Heads up: Patch your Adobe Reader now ]

The in-the-wild attacks, first spotted by the SANS Internet Storm Center, follows the public release of proof-of-concept exploits at Milw0rm.com and underscores the importance of quickly patching third-party desktop applications.

I have seen a sample of one of the rigged PDF files in circulation and can confirm it is indeed exploiting the CVE-2008-2992 vulnerability, which is a stack-based buffer overflow in Adobe Acrobat and Reader 8.1.2 and earlier.   It allows remote attackers to execute arbitrary code via a PDF file that calls the util.printf JavaScript function with a crafted format string argument.

From the SANS ISC alert:

The payload is in a JavaScript object embedded in the PDF document. Once extracted, it just contains first level obfuscation with a simple eval(unescape()) call.

Once deobfuscated, parts of the publicly posted PoC are visible, but the attackers also modified certain parts.

Adobe Reader is one of the most widely distributed pieces of software on the Windows ecosystem to the application of this patch should be an absolute priority.

The updates are available at: http://www.adobe.com/support/downloads/detail.jsp?ftpID=4084 (Windows), http://www.adobe.com/support/downloads/detail.jsp?ftpID=4093 (Mac), http://www.adobe.com/support/downloads/detail.jsp?ftpID=4094 (Linux/Solaris).

Editorial standards