Internet Security Systems - AlertCon(TM)

Adobe Reader Woes, Again

Posted by Jennifer Szkatulski, John Kuhn, and Holly Stewart on February 23, 2009 at 4:02 PM EST.

As mentioned in the recently released 2008 X-Force Trend and Risk Report, PDF exploitation has now become one of the most common and successful techniques used in malicious websites today, representing about 10% of all malicious web links in the last quarter of 2008. The reasons for this vary:

  • PDF exploitations are browser-independent. Because these attacks target Acrobat Reader(c) itself, users of Internet Explorer, Firefox, Opera and other web browsers are all affected equally if they are using Acrobat Reader to view PDF files. 
  • Browsers are typically configured to open PDF files automatically in Acrobat Reader or its plug-in and usually require no interaction from the end user (other than a click on a link) to do so.
  • Some people perceive that patching Acrobat Reader is not as important as patching other software and operating system elements. Conversations with many end users have revealed that a large number of them lack a sense of urgency when it comes to patching and consider it a hassle to go through an update when they’re simply trying to view a PDF file.
  • In certain cases, such as having thumbnails turned on while browsing the folder, the payload is automatically triggered.
  • PDF exploits can even be brought to the mobile market some day as most new smartphones have the ability to open .pdf files.  An example of this occurred with Blackberry and a recent experience with a .pdf vulnerability of their own.

And now a new PDF vulnerability has resulted in another round of exploits that is surely bound to increase.  The question remains as to exactly when this increase will occur and if it will happen before Adobe releases its patch on March 11.  You may recall that Adobe Reader left us last year with two critical vulnerabilities that resulted in rampant remote code execution exploits. A vulnerability in the Collab.collectEmailInfo function of Acrobat Reader’s Javascript engine (CVE-2007-5659) was reported in 2007, however it was not exploited until January of 2008.   It wasn’t until August of 2008 approached that the exploit became widespread. Exploitation of a vulnerability in the util.printf function (CVE-2008-2992) discovered in November of 2008, however found its way instantly into malware toolkits. An additional vulnerability not only affected Adobe Reader, but also affected Foxit Reader, a very popular alternative to Adobe Acrobat Reader.

Today, we a have a zero day situation with Adobe Reader and Acrobat that affects all versions of the software. A vulnerability in the way Adobe Acrobat Reader handles the JBIG2 image stream could allow remote code execution on the target host. Currently, we have only witnessed this exploit in highly targeted attacks and have not detected this exploit utilized heavily in the wild yet.  But it is unknown how long it will be before we see this spread quickly through malicious websites.  Milw0rm just released proof-of-concept exploit code.  So, we don’t expect it to take long before this exploit moves beyond targeted attacks to malicious exploit toolkit integration and widespread exploitation.

In the Security Operations Center, we know this can take weeks, or sometimes even hours, so it is best to formulate your protection means now before Adobe officially releases their patch. Utilizing your current IPS to protect your entire network at the gateway is ideal.  We have a list of signatures IBM ISS customers can enable listed on our Alert.  If this is not an option, we suggest you adhere to the general .pdf security practices below if possible.

Some other security practices that might limit your exposure to malicious PDF files are:
1)  Do not open untrusted PDF files
2)  Disable JavaScript in Adobe Reader and Acrobat
3)  Prevent browsers from automatically opening PDF documents
4)  Disable the display of PDF documents in the web browser

Malicious websites will continue to increase in the coming year. However when it comes to PDF, there is nowhere to hide, and blocking from a Web perspective wouldn’t mean an end to this threat.  PDF vulnerabilities can be exploited through other protocols and can easily be used in email attacks (phishing, spam, etc.), for example.  In fact, we have already picked up exploits for this particular vulnerability in spam email.  Stay aware, patch, and protect!

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.