News Stay informed about the latest enterprise technology news and product updates.

Another PDF attack targets Adobe zero-day vulnerability

Trend Micro discovers malware attempting to exploit Adobe's latest zero-day vulnerability. A patch is due out next week.

Security researchers at Trend Micro Inc. have discovered another malware variant attempting to exploit a PDF zero-day vulnerability identified last month in Adobe Reader.
To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

The malware, being delivered in malicious PDF email attachments, targets a JavaScript vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions. It then drops a downloader onto the victim's machine, which attempts to use Internet Explorer to receive commands, Jessa De La Torre, a threat response engineer with Trend's research team, explained on the company's Malware Blog.

"Once connected, a malicious user may execute any command on the affected system," De La Torre said.

Researchers discovered the Adobe zero-day vulnerability in Reader and Acrobat Dec. 15, but the software maker has held back on pushing out a patch to users until its regularly scheduled patch update, due out Jan. 12.

"We estimated that delivering an out-of-cycle update would require somewhere between two and three weeks," Brad Arkin, Adobe's director of product security and privacy wrote in a blog entry. "Unfortunately, this option would also negatively impact the timing of the next quarterly security update for Adobe Reader and Acrobat scheduled for Jan. 12, 2010."

Until the patch is released, users are being advised to disable JavaScript and warned not to open files from untrustworthy sources. Since the vulnerability was made public, security researchers have been analyzing a number of malicious PDF files attempting to exploit the flaw.

Few details are known about the flaw, but Adobe issued an advisory last month calling the vulnerability critical, and warning that it was being actively exploited in the wild.

"Customers using Adobe Reader or Acrobat versions 9.2 or 8.1.7 can utilize the JavaScript Blacklist Framework to prevent this vulnerability," Adobe said, adding that disabling JavaScript can be done manually as well.

In addition, Adobe said Microsoft's Data Execution Prevention functionality can be enabled to help minimize the risk to end users. The feature prevents malicious code from activating in non-executable memory.

"With the DEP mitigation in place, the impact of this exploit has been reduced to a denial-of-service during our testing," Adobe said.

Adobe has come under increasing pressure in 2009 to focus on its secure software development lifecycle and find better ways topush out patches. The popular Reader and Acrobat software is estimated to be used by millions of people, but a study last summer found that users were slow in installing the latest security updates. Adobe's Arkin says the company's software engineering team has made significant improvements, including implementing a quarterly patch cycle and better communication with users. A new update utility is also being tested that could speed up the process.

Other security researchers have warned that the PDF attacks targeting the zero-day vulnerability appear to be using increasingly sophisticated code. Bojan Zdrnja, senior information security consultant at Croatia-based security firm Infigo IS, analyzed a malicious PDF malware variant that uses egg-hunting shellcode. Once open on a victim's computer, it seeks out malicious code embedded within objects in the PDF file.

"This one had everything embedded so it was as stealthy as possible; no connections are made to the Web at all," Zdrnja said in a recent interview.

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.