Criminals attempt to exploit unpatched hole in Adobe Reader
According to several reports by anti-virus vendors, criminals have attempted to exploit an unpatched hole in Adobe Reader disclosed about two weeks ago to infect Windows PCs. The relevant malware includes the particularly dangerous ZeuS bot. The specially crafted documents are apparently sent to users as email attachments.
The "Launch Actions/Launch File" function in Adobe Reader allows the execution of scripts or EXE files embedded in PDFs. Although Adobe Reader asks users to agree to the execution of the file, this dialogue can be designed in such a way that users have no idea they may be allowing an infection in to their systems. Sophos have posted a demo which tries to persuade users to click an OK button on their blog.
A report from M86Security describes a PDF document that tries to install the ZeuS bot. When opened, the document tries to save a further PDF document which contains the actual malware. The documents are probably nested in an attempt to trick virus scanners. Interestingly, Reader opens a user dialogue before saving the file, but Foxit automatically saves the file without requesting confirmation. The current version of Foxit at least opens a dialogue when trying to start the bot that is hidden in the PDF – older versions simply execute embedded files without prior warning.
Adobe has not given the hole a critical rating because of the warning issued by Reader. The vendor considers the function an essentially useful feature which only becomes a problem when used maliciously. Adobe says that after all, Adobe Reader warns users that they should only launch files from trusted sources. Adobe recommends that users disable the option "Allow opening non-PDF file attachments with external applications" under Preferences/Trust Manager – this option is enabled by default.
While current attacks don't appear to be very sophisticated, Jeremy Conway, who recently presented a refined version of the exploit released by Didier Stevens, thinks that this is only the beginning and that far more sophisticated attempts will appear soon.
- Adobe issues official workaround for PDF vulnerability, a report from The H.
- New version of Foxit closes executable security hole, a report from The H.
- PDF exploit requires no specific security hole to function, a report from The H.