Adobe Patches Critical PDF Vulnerability

News Factor Network 24/10/2007
Website: http://www.newsfactor.com

Adobe patched its Acrobat and Reader programs on Monday. The fix plugs a hole that exposed Windows XP users to attackers sending PDF files containing malware. According to various reports, exploits are running rampant around the Internet in search of unpatched applications.

"Critical vulnerabilities have been identified in Adobe Reader and Acrobat that could allow an attacker who successfully exploits these vulnerabilities to take control of the affected system," Adobe said in a security bulletin. "A malicious file must be loaded in Adobe Reader or Acrobat by the end user for an attacker to exploit these vulnerabilities."

Windows XP users who also run Internet Explorer 7 are at risk. Adobe first admitted to the bug about two weeks ago and posted a complex workaround that required users to edit the Windows registry. The flaw was first discovered on September 20 by "pdp" on the Gnucitizen Web site.

Anatomy of the Attack

Attackers are still hoping to find unpatched systems. Security firm iSIGHT Partners discovered new Russian Business Network spam containing a hostile PDF file designed to exploit the flaw. Successful exploitation lets attackers download code from a remote server to the victim's machine.

This code installs two rootkit files that sniff and steal financial and other valuable data from the computer. The files are installed in the Windows directory as 9129837.exe and new_drv.sys.

Noteworthy is the fact that the code and servers used in the attack are nearly identical to September 2006 Vector Markup Language (VML) zero-day attacks. Servers used in the attack have a history of malicious abuse, including VML attacks, animated cursor exploitation, and CoolWebSearch installations, according to iSIGHT Partners.

The Hostile e-mails with a malicious PDF exploit file are circulating with subject lines that read "STATEMET indigene." The e-mail attachments are called "YOUR_BILL.PDF" and "INVOICE.PDF."

"Antivirus detection is extremely poor for the exploit files and payloads involved in this attack, averaging only 26 percent out of 39 updated programs tested during the time of attack," said Ken Dunham, director of global response for iSIGHT Partners and a former director at VeriSign's iDefense.

Symantec Antivirus Protection

In addition, Symantec is reporting that its researchers have their eyes on a Trojan, called Trojan.Pidief.A, that is designed to exploit this PDF vulnerability.

Symantec Security Response's Hon Lau said it is likely that the Trojan has been spammed out in targeted attacks on specific businesses. Symantec is assuring its antivirus customers that those with definition sets of October 23 revision 008 or greater are protected.

"This mass mailing of exploit files may be an attempt to leverage the exposure window between patch release and widespread adoption of the fix," said Symantec in a warning to customers of its DeepSight threat intelligence network.

Security researchers recommend treating PDF documents with extreme caution.