/>
X
Innovation

Rigged PDFs exploiting just-patched Adobe Reader flaw

Just three days after Adobe shipped a patch with fixes for a critical Adobe Reader vulnerability, hackers are using booby-trapped PDF files to fire exploits against Windows users.[ SEE: Heads up: Patch your Adobe Reader now ]The in-the-wild attacks, first spotted by the SANS Internet Storm Center, follows the public release of proof-of-concept exploits at Milw0rm.
Written by Ryan Naraine, Contributor on
Rigged PDFs exploiting just-patched Adobe Reader flaw
Just three days after Adobe shipped a patch with fixes for a critical Adobe Reader vulnerability, hackers are using booby-trapped PDF files to fire exploits against Windows users.

[ SEE: Heads up: Patch your Adobe Reader now ]

The in-the-wild attacks, first spotted by the SANS Internet Storm Center, follows the public release of proof-of-concept exploits at Milw0rm.com and underscores the importance of quickly patching third-party desktop applications.

I have seen a sample of one of the rigged PDF files in circulation and can confirm it is indeed exploiting the CVE-2008-2992 vulnerability, which is a stack-based buffer overflow in Adobe Acrobat and Reader 8.1.2 and earlier.   It allows remote attackers to execute arbitrary code via a PDF file that calls the util.printf JavaScript function with a crafted format string argument.

From the SANS ISC alert:

The payload is in a JavaScript object embedded in the PDF document. Once extracted, it just contains first level obfuscation with a simple eval(unescape()) call.

Once deobfuscated, parts of the publicly posted PoC are visible, but the attackers also modified certain parts.

Adobe Reader is one of the most widely distributed pieces of software on the Windows ecosystem to the application of this patch should be an absolute priority.

The updates are available at: http://www.adobe.com/support/downloads/detail.jsp?ftpID=4084 (Windows), http://www.adobe.com/support/downloads/detail.jsp?ftpID=4093 (Mac), http://www.adobe.com/support/downloads/detail.jsp?ftpID=4094 (Linux/Solaris).

Editorial standards

Related

Garmin's new Index BPM is the blood pressure monitor that I've been waiting for
garmin-index-bpm-lifestyle

Garmin's new Index BPM is the blood pressure monitor that I've been waiting for

We will see a completely new type of computer, says AI pioneer Geoff Hinton
artificial-intelligence

We will see a completely new type of computer, says AI pioneer Geoff Hinton

Delta Air Lines finds an outrageous way to insult important customers
Delta Air Lines Boeing 767 airplane at Munich airport

Delta Air Lines finds an outrageous way to insult important customers