Adobe warns of zero day vulnerability in Reader and Acrobat
Adobe is warning of a new vulnerability in Adobe Reader and Acrobat 9.3.4 and earlier for Windows, Mac OS X and Unix, which is already being exploited by attackers to infect Windows PCs using specially crafted PDF files. According to Secunia, the problem is caused by a buffer overflow when parsing fonts as a result of a bug in the CoolType.dll library. No patch is currently available, but the vendor is said to be working on a solution.
The exploit is said to be able to bypass Windows 7 and Vista protection mechanisms, such as data execution prevention (DEP) and address space layout randomisation (ASLR), and uses return-oriented programming, in which, rather than code, only return addresses and parameters are placed on the stack. According to Kaspersky, in contrast to previous PDF exploits, instead of downloading additional malware from the web, the malware is included in the PDF file. Other security specialists have, however, observed that, after dropping a DLL, the exploit downloads further code from a server on the domain academyhouse.us.
The installed malware is also reported to have a valid digital signature – many anti-virus packages do not routinely check files with a valid signature. A trojan with a valid signature was previously observed in July. Many anti-virus software vendors have nevertheless already released a signature for the new PDF trojan, partly as a result of good, rapid communications between anti-virus software vendors and independent security specialists and malware analysts.
Due to its many vulnerabilities, Adobe Reader has been a top target for criminals over the last few years and, in a future version, Adobe plans to take its product out of the firing line by integrating a sandbox. This should stop Reader from gaining write access to the Windows system and should also prevent changes being made to the registry or files on the hard drive, prevent processes from being launched and block access to named pipes or named shared memory.