Adobe Reader Woes, Again
Posted by Jennifer Szkatulski, John Kuhn, and Holly Stewart on February 23, 2009 at 4:02 PM EST.
As mentioned in the recently released 2008 X-Force Trend and Risk Report, PDF exploitation has now become one of the most common and successful techniques used in malicious websites today, representing about 10% of all malicious web links in the last quarter of 2008. The reasons for this vary:
- PDF exploitations are browser-independent. Because these attacks target Acrobat Reader(c) itself, users of Internet Explorer, Firefox, Opera and other web browsers are all affected equally if they are using Acrobat Reader to view PDF files.
- Browsers are typically configured to open PDF files automatically in Acrobat Reader or its plug-in and usually require no interaction from the end user (other than a click on a link) to do so.
- Some people perceive that patching Acrobat Reader is not as important as patching other software and operating system elements. Conversations with many end users have revealed that a large number of them lack a sense of urgency when it comes to patching and consider it a hassle to go through an update when they’re simply trying to view a PDF file.
- In certain cases, such as having thumbnails turned on while browsing the folder, the payload is automatically triggered.
- PDF exploits can even be brought to the mobile market some day as most new smartphones have the ability to open .pdf files. An example of this occurred with Blackberry and a recent experience with a .pdf vulnerability of their own.
Today, we a have a zero day situation with Adobe Reader and Acrobat that affects all versions of the software. A vulnerability in the way Adobe Acrobat Reader handles the JBIG2 image stream could allow remote code execution on the target host. Currently, we have only witnessed this exploit in highly targeted attacks and have not detected this exploit utilized heavily in the wild yet. But it is unknown how long it will be before we see this spread quickly through malicious websites. Milw0rm just released proof-of-concept exploit code. So, we don’t expect it to take long before this exploit moves beyond targeted attacks to malicious exploit toolkit integration and widespread exploitation.
In the Security Operations Center, we know this can take weeks, or sometimes even hours, so it is best to formulate your protection means now before Adobe officially releases their patch. Utilizing your current IPS to protect your entire network at the gateway is ideal. We have a list of signatures IBM ISS customers can enable listed on our Alert. If this is not an option, we suggest you adhere to the general .pdf security practices below if possible.
Some other security practices that might limit your exposure to malicious PDF files are:
1) Do not open untrusted PDF files
3) Prevent browsers from automatically opening PDF documents
4) Disable the display of PDF documents in the web browser
Malicious websites will continue to increase in the coming year. However when it comes to PDF, there is nowhere to hide, and blocking from a Web perspective wouldn’t mean an end to this threat. PDF vulnerabilities can be exploited through other protocols and can easily be used in email attacks (phishing, spam, etc.), for example. In fact, we have already picked up exploits for this particular vulnerability in spam email. Stay aware, patch, and protect!