November 7, 2012

Software vendor Adobe says it is investigating claims that instructions for exploiting a previously unknown critical security hole in the latest versions of its widely-used PDF Reader software are being sold in the cybercriminal underground.

The finding comes from malware analysts at Moscow-based forensics firm Group-IB, who say they’ve discovered that a new exploit capable of compromising the security of computers running Adobe X and XI  (Adobe Reader 10 and 11) is being sold in the underground for up to $50,000. This is significant because — beginning with Reader X— Adobe introduced a “sandbox” feature  aimed at blocking the exploitation of previously unidentified security holes in its software, and so far that protection has held its ground.

But according to Andrey Komarov, Group-IB’s head of international projects, this vulnerability allows attackers to sidestep Reader’s sandbox protection. Komarov said the finding is significant because “in the past there was no documented method of how to bypass” Adobe Reader X’s sandbox to run code of the attacker’s choice on the target’s computer. The Russian firm produced the following video which they say demonstrates a sanitized version of the attack.

The exploit does have some limitations, Komarov said. For example, it can’t be fully executed until the user closes his Web browser (or Reader). And so far, they have only seen the attack work against Microsoft Windows installations of Adobe Reader.

Adobe spokeswoman Wiebke Lips said the company was not contacted by Group-IB, and is unable to verify their claims, given the limited amount of information currently available.

“Adobe will reach out to Group-IB,” Lips said. “But without additional details, there is nothing we can do, unfortunately— beyond continuing to monitor the threat landscape and working with our partners in the security community, as always.”

Group-IB says the vulnerability is included in a new, custom version of the Blackhole Exploit Kit, a malicious software framework sold in the underground that is designed to be stitched into hacked Web sites and deploy malware via exploits such as this one.

For now, the research firm said, the Adobe Reader exploit is being distributed only in “small circles of the underground.” Contacted via instant message, the author of the Black Hole exploit kit said today that he also had confirmed the existence of a private Adobe Reader exploit that was being sold in closed circles. He noted that although his kit currently does not include the exploit, he is hoping to acquire it and add it soon.

If that happens, it may not be long before this becomes a much bigger problem; Blackhole is by far the most prevalent exploit kit in use today. At any rate, consumers should realize that there are several PDF reader option apart from Adobe’s,  including Foxit, PDF-Xchange Viewer, Nitro PDF and Sumatra PDF.


39 thoughts on “Experts Warn of Zero-Day Exploit for Adobe Reader

  1. Jack Rivers

    Won’t it be enough to disable the Adobe Pdf browser plugin to be immune to this exploit?

    1. Robert S

      No, at least according to the video. If you download a trojaned PDF, and run it in Reader, it will still run the shellcode. Admittedly, that is a bit harder to get a victim to do, but still way too easy.

  2. Steve Werby

    Unless Adobe is already aware of this 0-day vulnerability and plans on incorporating a fix in their scheduled quarterly update next Tuesday, an out-of-band Adobe Reader update seems likely. It’s fascinating (though not surprising) that those who discovered the 0-day are selling it to select customers for 5-figures a pop in advance of it being incorporated into exploit kits like Blackhole. It’s probably already being used in targeted attacks, but attacks will probably soon explode and we’ll all do the dance we’re so used to.

  3. JimboC

    Thanks for the heads up Brian. I shall watch the progress of this exploit unfold with interest through this blog and the usual security news sites online.

    This Group-IB sounds very similar to the controversial French company Vupen which last week announced a similar exploit for Windows 8.

    We can only hope that this group does not attempt to sell the flaw to Adobe since Adobe are unlikely to buy it, that would be extortion.

    I really wish that such companies would responsibly disclose such flaws to the companies concerned (in this case Adobe) but since they make their business selling exploits this is extremely unlikely and will put many innocent people at risk of a malware infection.

    1. Kris

      imagine that you found a bug in Adobe. what you are going to do? post the info on Adobe’s support forum? Adobe will ignore you, but hackers will get the idea.

      ok, you spent hours, looking for direct contacts. you sent PoC to them, you waited for a month, but there was no response. you were ignored.

      please answer a very simply question: why you have to waste your time, trying to reach Abobe? I’m not telling that selling exploits to criminals is a good thing, but if you are not a company, if you are a person — the best thing you can do — contact a company like Group-IB.

  4. JimboC

    Thanks for posting this video Brian.

    I find it interesting that they chose Windows XP to show this exploit. Adobe Reader 11 (XI) cannot use its Force ASLR feature to make exploit this hard to trigger since the base addresses of all of the DLLs will be randomized only if Force ASLR is available (i.e. ASLR will be enabled for all DLLs if even they don’t support it. DLLs will be randomized even if they were compiled without the /DYNAMICBASE compiler flag).

    The Force ASLR feature is only available on Windows 7 and Windows 8.

    They are also using IE 6, while it may not have a bearing on the exploit; I would feel this exploit was more resilient if it worked on a fully patched Windows 8 64 bit system with IE 10. I also wonder what difference Microsoft EMET 3.0 or 3.5 would make.

  5. Richard Steven Hack

    Time to treat Adobe Reader like Java – uninstall it.

    Use third party PDF readers instead of Adobe. Granted they will have vulnerabilities, too, but at least you’re replacing a monoculture attack surface with a fractured surface.

    1. Hans

      I agree, Richard, and that is why it is not only disabled on my rig, but uninstalled. It is also a resource hog as well.

      We use Foxit reader and thankfully have had no issues..

      1. Chris Novak

        Richard Steven Hack & Hans, great recommendation on “fracturing” the surface. I think I’ll have to start experimenting with Foxit.

    2. mechBgon

      I look at it another way. Adobe has changed their game since Reader 8/9. Their sandbox is pretty good, and they’ve just come out with their second-gen sandbox, ForceASLR and I forget what else. If it’s not perfect, I’d still think carefully before doing the Chicken Little act because someone, somewhere, has found a workable exploit against it. They would probably have an equally easy time finding holes in whatever alternative you run to.

      I like to say something practical when I post, so let me suggest that Adobe Reader users do this:

      1. if you’re using an old version, update to Reader 11 (XI).

      2. disable Acrobat Javascript. You’ll find that checkbox by clicking Edit > Preferences in Adobe Reader, then clicking Javascript at the left. I can’t speak for everyone, but this has had no impact on functionality for me, and historically this feature has been abused in real-world exploits.

      3. while you’re in Reader’s Preferences, also click Security (Enhanced) and ensure Protected Mode is enabled, and that Protected View is applied to all files. You can bust your PDFs out of Protected View as desired, or set up a trusted location that PV doesn’t apply to.

      4. bonus points for going to the Trust Manager section and disabling the opening of non-PDF attachments by Reader.

      1. JimboC

        I have read elsewhere that this particular exploit does not use JavaScript to exploit the computer.

        However, mechBgon recommendations of disabling JavaScript should still be used since disabling this can mitigate other threats contained in PDFs.

        I realize that Adobe have a JavaScript blacklist (http://helpx.adobe.com/acrobat/kb/reader-acrobat-javascript-blacklist-framework.html ) that you can add un-trusted JavaScripts APIs to but for non-corporate customers this would be an admin overhead. Simply disabling it works more effectively for home users.

        Thanks.

      2. Nic

        It’s disrespectful to say people are pulling a “Chicken Little act” for switching from Adobe Reader to a more secure alternative. It’s dismissive.

        http://www.securelist.com/en/analysis/204792250/IT_Threat_Evolution_Q3_2012#4

        Flaws in Adobe Reader are responsible for about 25% of penetrations. And now we realize Adobe’s sandbox apparently… isn’t.

        If you want to convince people to use Adobe Reader, recognize that you have an uphill battle given its sordid history, and that you’re not really in a position to be dismissive of the people who promote more secure alternatives.

        1. mechBgon

          Fair enough, let’s look at your info there. There’s one mention of PDF exploits on the page, which is this one:

          http://www.securelist.com/en/advisories/47133

          Following the trail, we find Adobe’s security advisory:

          http://www.adobe.com/support/security/bulletins/apsb11-30.html

          Which says, “Adobe Reader X Protected Mode and Adobe Acrobat X Protected View would prevent an exploit of the type currently targeting these vulnerabilities (CVE-2011-2462 and CVE-2011-4369) from executing.”

          The sandbox is working there. If people run verion 9.x, then they have a problem.

          I certainly welcome an expert comparison of Adobe’s sandboxing tech, all-out ASLR enforcement, Protected Mode/Protected View, and overall security development lifecycle against any contenders whom you feel are putting equal effort into their product’s security.

          In my habit of contributing something useful: anyone with concerns about their PDF reader (or any other app) getting exploited and launching a payload could look into Software Restriction Policy, which I have a writeup on at mechbgon.com/srp. Properly done, it’s very potent against a broad swath of exploits, Trojans and worms.

  6. Richard Steven Hack

    By the way, you see the news today that Adobe will now schedule its updates on Microsoft’s Patch Tuesdays?

    As someone said, “Adobe is now ‘married’ to Microsoft.”

    Also, note that in a recent list of the top ten highly exploited software, Adobe accounted for almost all of it except for some Java. And people were crowing that nothing made by Microsoft made it to the list (which only means Adobe is massively worse than Microsoft, not that Microsoft is any better.)

    Maybe we should say Adobe is the new Microsoft.

    1. Uzzi

      .oO(My glass of water says some time ago they started to point guns to each others heads… but you can say they ‘married’. – A bizarre relationship for sure…^^)

    2. mechBgon

      If you check into it, I think the stats will also show that it’s the old versions of Reader that are vulnerable, e.g. 7 through 9. For example, check out Sophos’s report on the Blackhole exploit kit, pages 5 & 6:

      http://www.sophos.com/en-us/why-sophos/our-people/technical-papers/exploring-the-blackhole-exploit-kit.aspx

      Now look at the CVE identifiers on the PDF exploits. 2010, 2009, 2009, 2008, 2007. Old vulns in old (but still widespread) versions of the software.

    3. Rabid Howler Monkey

      Richard Steven Hack wrote:
      “As someone said, “Adobe is now ‘married’ to Microsoft.”

      Not just Microsoft. Adobe is also married to Intuit, a financial software ISV providing both installed applications and web-based services. A short list:
      o TurboTax 2012
      o QuickBooks
      o Online Payroll

      In this case Intuit users cannot simply uninstall Adobe Reader as it is required for important business functions. Looks like a good case for users to maintain two PDF readers. One for use with Intuit’s installed software and another for everything else.

      Users of Intuit’s online services might want to go as far as pairing Adobe with Internet Explorer and use the combination only for Intuit’s web sites. And then pair both an alternative PDF reader and alternative web browser for everything else.

      P.S. Sage, another business software ISV, also requires Adobe Reader for many of their financial products.

      1. Old School

        SOURCE: http://turbotax.intuit.com/support/iq/Print-and-Save/Save-Your-Tax-Return–PDF-File-/GEN12337.html
        “Tax returns saved as Portable Document Format (PDF) files can be viewed and printed through the free Adobe Reader or Foxit Reader software instead of TurboTax.

        This comes in handy if you don’t have TurboTax software installed on your computer, or if you need a copy of your return after TurboTax Online shuts down for the tax year.”
        So TurboTax supports Foxit. Happy Tax Season!!!

        1. Rabid Howler Monkey

          Thanks, Old School. TurboTax 2012 Online vs. installed on a Windows PC, perhaps? Or, maybe, Adobe Reader is not a ‘hard’ system requirement as indicated by Intuit for many of their products.

          http://turbotax.intuit.com/support/iq/Install-Product/TurboTax-2012-System-Requirements/GEN84801.html
          Updated: 10/04/2012
          “Below are the minimum requirements for TurboTax 2012 software installed on a Windows computer. The 2012 versions are Basic, Deluxe, Premier, Home & Business, and Business.
          Third-Party Software: Adobe Reader 8+

          Perhaps some more Intuit (and Sage) financial software users will weigh in as TurboTax is one of many financial products.

        2. Chuck

          I have used TurboTax for many years, and in recent times I have used PDF-Xchange as my sole PDF reader. TurboTax’s PDF files work fine with this reader. I can’t see any reason why they wouldn’t work with just about any PDF reader, unless there is something extremely special about the PDF files that TurboTax creates.

  7. Chris Novak

    mechBgon & JimboC, great recommendations. I’d always been disabling Javascript, but your other recommendations make a lot of sense. Now as the list grows, if there was only an INI file to update, or a way to create a *.reg file to apply all these “better defaults”….!

    1. Andrew Zizzo

      You can indeed use the registry to modify settings such as the disabling of javascript for Adobe Reader, or with version XI Adobe has available a GPO ADM template. Very convenient for locking down (to a degree) Acrobat Reader on a Windows domain.

    2. JimboC

      Thanks Chris.

      I actually originally read about the recommendations that mechBgon gave as well as my recommendation on the website http://www.bleepingcomputer.com back in November 2010 shortly after the release of Adobe Reader X (10).

      Unfortunately, the original post describing these recommendations and why it was a good idea to disable them no longer exists. This was my reason for linking to the blog posts that I provided.

  8. Alice

    Actually, if you want the demo this time with commentary, Kris and I had created one together here: http://youtu.be/Hybc4KQrtbY

    He’d asked me some time ago to help him create it, as he’d found the vulnerability a while back. As you can see in the video, Javascript WAS disabled when the exploit was executed.

    1. neko

      I just curiously like to know was “Trust Manager/Allow opening of non-PDF file attachments with external applications” enabled?

    1. Chris Novak

      Thanks Joost! So, if I install Adobe Reader XI, modify all the settings, and then use Regedit to export the key for Adobe Reader…
      HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\11.0

      …then also follow the tips (via .BAT/.CMD, and another .REG file for disabling PDF Icon Preview in Windows, and IE View PDF, I should have a much more secure Adobe PDF installation (knock on wood!), and an additional tool for securing Adobe Reader 11 on other systems.

      “Open With” on a PDF file also shows those two as available applications. Like the IE PDF View, is there a similar one for Firefox or Chrome which also needs disabling ?

  9. Chris Novak

    Regarding alternate PDF viewers; Brian mentioned Foxit, PDF-Xchange Viewer, Nitro PDF and Sumatra PDF. Based on Hans’ recommendation, I installed Foxit, and immediately remembered TANSTAAFL: “There ain’t no such thing as a free lunch”. I am NOT a fan of the ASK Toolbar. Plus I recalled the issues another client related about Nitro PDF — it kept badgering her to buy and install Nitro Pro.

    I understand that PC software has to be paid for, but unfortunately it hasn’t evolved like smartphone apps, where the advertising supported version is free, or $1-$3 for the “ad-free” version. A low-cost paid ad-free version (or a free version with ads for “Krebs on Security” (!) would go a LONG way to fracture Adobe’s dominance of PDF viewers which (as Microsoft is with Internet Explorer), making Adobe Reader a prime multi-platform target.

    I did notice when using “Open With”, that Mozilla Firefox and Google Chrome are also listed as viewers. So, instead of Foxit or Nitro with annoying ads or performance-robbing toolbars (Foxit’s ASK toolbar now even appears in Chrome!), what about using Google Chrome as the default to open PDFs instead of Adobe Reader? If so, any comments on Chrome settings ?

    1. Rabid Howler Monkey

      Chris Novak wrote:
      “TANSTAAFL: “There ain’t no such thing as a free lunch”

      In the case of SumatraPDF there is a free lunch because is it FOSS software licensed under the GPL v3.

      As for the Chrome browser with its PDF Reader plug-in, this is a very good option as the plug-in is updated transparently and is sandboxed. This article linked below states (via Andrey Komarov, the head of Group-IB) that the exploit fails to work in Google’s Chrome browser PDF Reader plug-in:

      http://www.computerworld.com/s/article/9233382/Zero_day_PDF_exploit_reportedly_defeats_Adobe_Reader_sandbox_protection

      1. Rabid Howler Monkey

        Just a note that the ComputerWorld article I linked above may have been referring to using the Chrome browser with Adobe’s PDF Reader plug-in. The PDF Reader plug-in that defaults with Chrome is built from Foxit Software’s PDF SDK:

        http://googlesystem.blogspot.com/2010/08/google-chromes-pdf-plugin-uses-foxit.html

        However, one can disable Chrome’s built-in PDF Reader plug-in if one wishes to use the Adobe Reader (or Acrobat) PDF Reader plug-in with Chrome:

        “Adobe PDF plug-in
        http://support.google.com/chrome/bin/answer.py?hl=en&answer=142056

        Either way, using the Chrome browser to view PDF documents should be safe from this exploit.

        1. Chris Novak

          >>Rabid Howler Monkey Thanks for the advice.
          But switching from Internet Explorer or Mozilla Firefox (with their Adobe Reader plugins) to Google Chrome, which is faster (IMHO) and has its own self-contained plugins for Flash and Reader, should take care of known browser-online PDF issues.

          And using OPEN WITH on any PDF file would allow selection of Google Chrome as the default PDF Viewer would provide a nice non-adware non-bloatware alternative to Foxit or Nitro. And of course, subsequent use of Right-click “Open With” would allow temporary selection of Adobe Reader if any document proves troublesome in Chrome’s built-in PDF viewer.

          I’m all for “bullet-proofing” Adobe Reader for maximum compatibilty, but we all know it’s an Arms Race: One side develops thicker armor, and the other side builds a larger shell. Side-stepping the issue by fracturing the PDF viewer platform makes tactical sense (which is why Microsoft keeps recommending an alternate browser until unpatched major IE flaws are fixed.

          Other comments or suggestions?

    2. Doug

      I’ve used Foxit Reader before during version 1 and 2, and like all other software, the later versions seems to have become more and more bloated with each release. If you install Foxit Reader, just make sure to use “Custom” and uncheck the boxes that installs the extra junk.

      Ninite is awesome, it automatically installs your selected software without any of the toolbars or junk….I use it just about daily on customer’s PC’s.

  10. Mark Dowling

    How many devs and their support desks, faced with queries from their customers about why their Reader plugin which worked in 9.x doesn’t work in 10.x+, answer “ah, you have to disable Protected Mode”?

    My guess: more than a few.

    1. Rob Simpson

      Yep you are very right. Software companies try to plug their leaky software with security features, that then stop their software from functioning in any useful way at all. Gotta love the old IIS lockdown tool, IEESC, Windows UAC and the like. The first thing IT departments have to do is turn all this nonsense off to get the software functional again.

  11. Steve Lembark

    Q: Anyone know if the exploit works if Adobe is in lxc (“containers”)?

  12. Chuck

    I use PDF-Xchange, but it’s never clear to me whether (or which) Adobe vulnerabilities carry over to this reader, and the vendor’s website doesn’t provide much help in answering this question. Is there some reasonably transparent way to determine which vulnerabilities are specific to the Adobe Reader, and which ones carry over to other readers as well? Thanks.

Comments are closed.