Web pages infecting PCs via vulnerabilities in Adobe Reader
Anti-virus software vendors have warned of crafted PDF files which allow attackers to infect a victim's PC with malware. To become infected, all the user has to do is open a PDF file from a website in Internet Explorer or Firefox. The files exploit security vulnerabilities in Adobe Reader, Adobe Acrobat Professional, 3D and Standard prior to version 8.1.2. Version 7, for which no update is currently available, is also affected.
Rumours of websites trying to infect visitors' PCs started circulating last week. At the time it was not clear what vulnerabilities were being exploited, as the vendor had not published information on the vulnerabilities and only slipped in a warning of critical vulnerabilities several days after releasing version 8.1.2, in which the problems have been fixed.
There is also a vulnerability in Reader when loading the "Security Provider" library for cryptography. Reader apparently fails to properly check the path, thereby loading arbitrary files with the same name as the library from the current directory. If an attacker has control of that directory, for example on an SMB or WebDAV server, he can inject malicious code.
The first crafted PDF files were spotted on an Italian forum on 19th January. On opening the file, an embedded script downloads a variant of the Zonebac trojan from an IP address in the Netherlands. In addition, crafted banners have also been used to try to distribute the PDF files to users. The trojan apparently contacts the doginhispen.com and skitodayplease.com servers.
The rate of detection of the crafted files by anti-virus software is currently modest. Only F-Secure, McAfee, Microsoft, Norman and Symantec detected two of the three sample files available to heise Security. The exploit bears names including W32.Pidief. Users should update to version 8.1.2 of Adobe Reader or Acrobat as soon as possible.
- Adobe Reader Security Provider Unsafe Libary Path Vulnerability, security advisory from iDefense.
- Adobe Reader and Acrobat Multiple Stack-based Buffer Overflow Vulnerabilities, security advisory from iDefense.