Attackers target new Adobe zero-day flaw

By Robert Westervelt, News Editor 20 Feb 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

A newly discovered zero-day vulnerability within Adobe's Acrobat Reader is being actively targeted by attackers, warns researchers at Symantec Corp.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Hackers have been spreading malicious PDF files containing the Pidief Trojan. If a person opens the file, the Trojan attempts to exploit an unpatched processing error in Adobe Acrobat Reader 8 and 9, which results in a buffer overflow.

"Malicious PDFs using this exploit will be detected as Trojan.Pidief.E," Symantec said in a statement.

Kevin Haley, director of security response at Symantec said researchers there were given a sample of the threat Feb. 12. The first signs of it appearing in the wild were discovered in Japan. So far the Trojan seems to be spreading slowly, targeting company managers and senior level executives, Haley said.

Our speculation is that since there's so few of these, they're targeted at high level people or specific government agencies. Kevin Haley, director, Symantec Security Response

"Our speculation is that since there's so few of these, they're targeted at high level people or specific government agencies," he said. "We haven't seen a carpet bomb of anybody in certain company or agency. It's been tightly controlled."

Exploit code is circulating in the wild in the U.S., China, Japan, Taiwan and the U.K.

Adobe acknowledged the zero-day in an advisory to customers calling it critical. It confirmed the flaw in Adobe Reader 9 and Acrobat 9 as well as Adobe Reader and Acrobat 8.1.3 and earlier versions.

"This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system," Adobe said in its advisory.

Adobe said it is in the process of fixing the processing error and will release the first fixes by March 11.

Danish vulnerability clearinghouse Secunia gave the zero-day an extremely critical rating. In its advisory, Secunia said the flaw could be exploited to access critical system files.

SearchSecurity radio:

On Thursday, the Shadowserver Foundation, a volunteer watchdog group of security pros, released details of the Adobe zero-day. The foundation said the attacks attempt to exploit a vulnerability in a non-JavaScript function call.

Shadowserver volunteers, Steven Adair and Matt Richard advise users to disable JavaScript until a patch is released. The workaround prevents the malware from being installed on the system, but will still result in Acrobat or Reader crashing.

"You have the choice of small loss in functionality and a crash versus your systems being compromised and all your data being stolen," Adair wrote in a Shadowserver post. "It should be an easy choice."

Tags: Application Attacks (Buffer Overflows, Cross-Site Scripting),  Securing Productivity Applications,  Emerging Information Security Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Application Attacks (Buffer Overflows, Cross-Site Scripting) Quiz: How to build secure applications Black box and white box testing: Which is best? Adobe warns of critical update for Reader, Acrobat 9.1.3 9 Ways to Improve Application Security After an Incident Developers Need Help with Security Errors Buffer overflow tutorial: How to find vulnerabilities, prevent attacks SQL injection protection: A guide on how to prevent and stop attacks Experts rebuke programmers who use SQL injection as feature SANS: Application threats, website flaws pose biggest security threats Mozilla helps Adobe push out faster patches Application Attacks (Buffer Overflows, Cross-Site Scripting) Research Securing Productivity Applications Quiz: How to build secure applications How to detect software tampering Adobe fixes 29 flaws in Acrobat, Reader Adobe warns of critical update for Reader, Acrobat 9.1.3 Why should we place data files on a separate partition than the OS? Adobe updates ColdFusion, JRun, Flex Serious Adobe Flash flaw being exploited Adobe acknowledges serious Flash zero-day vulnerability Adobe issues security advisory for Flash zero-day flaw When to use the service features of the Metasploit hacking tool Emerging Information Security Threats RSA security conference 2010: news, interviews and updates Hackers to sharpen malware, malicious software in 2010 Modern malware, stealthy botnets, adapt quickly, expert says New ransomware Trojan pushes victims to buy software Bruce Schneier on outsourcing, awareness training US-CERT warns of BlackBerry snooping software Marcus Ranum on cyberwarfare, infosec careers Researchers find thousands of flawed embedded devices Enterprise botnets contain thousands of malware variants Nuke and pave to eradicate botnets

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary buffer overflow  (SearchSecurity.com) cache poisoning  (SearchSecurity.com) cyberterrorism  (SearchSecurity.com) dictionary attack  (SearchSecurity.com) directory harvest attack  (SearchSecurity.com) distributed denial-of-service attack  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) ping of death  (SearchSecurity.com) stack smashing  (SearchSecurity.com) SYN flooding  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary