Adobe confirms Reader flaws targeted in 'Turkey visa' PDF zero-day attacks

Attacks on Adobe Reader are a truly European affair with Italian JavaScript, Spanish domains and Irish IP servers.
Written by Liam Tung, Contributing Writer

Adobe has confirmed there are two previously undocumented flaws in the latest updates of its PDF products Adobe Reader and Acrobat that hackers were exploiting with a Turkish visa form.

The two vulnerabilities (CVE-2013-0640, CVE-2013-0641) affect Adobe Reader and Acrobat XI (11.0.01), X (10.1.5) and 9.5.3 and earlier for Windows and Mac, Adobe said in an advisory on Wednesday.

Adobe said the targeted attacks were designed to trick Windows users into clicking on emailed malicious PDF attachments, however the flaws affect the products for OS X systems as well. The company is working on a fix, it said.

At present there are few clues to who the attackers are. However, details provided to ZDNet from FireEye, the security firm that discovered the Adobe Reader and Acrobat exploits this week, suggest it is a European campaign aimed at would-be travellers to Turkey — a popular holiday spot for Europeans seeking winter sun.

A FireEye spokesperson told ZDNet on Thursday that the lure was PDF file labeled "Visaform Turkey.pdf", which is required by all foreign travellers to the country.

The callback from infected machines reveal that malware is communicating with a Spanish domain hosted on Irish IP servers while the JavaScript embedded in the maliciously crafted PDF is written in Italian.

FireEye has released an updated technical report here, detailing how the exploit circumvents some of the anti-exploitation technologies, such as sandboxing, that Adobe has been building into Reader and Acrobat X and XI.

It appears that security hardening measures Adobe introduced through "Protected View" in Reader and Acrobat XI to prevent such exploits will stop the exploit being used. Protected View was one of the main features Adobe touted at the product's release last year, however Adobe said in its advisory that users will need to manually enable it for the protective measure to actually work. 

"Enterprise administrators can protect Windows users across their organization by enabling Protected View in the registry and propagating that setting via GPO or any other method," the software company added.

Besides this option, users could install alternative readers, such as (via CNET) Foxit, PDF-Xchange Viewer, Sumatra and Nitro among others.

Editorial standards