Web pages infecting PCs via vulnerabilities in Adobe Reader
Anti-virus software vendors have warned of crafted PDF files which allow attackers to infect a victim's PC with malware. To become infected, all the user has to do is open a PDF file from a website in Internet Explorer or Firefox. The files exploit security vulnerabilities in Adobe Reader, Adobe Acrobat Professional, 3D and Standard prior to version 8.1.2. Version 7, for which no update is currently available, is also affected.
Rumours of websites trying to infect visitors' PCs started circulating last week. At the time it was not clear what vulnerabilities were being exploited, as the vendor had not published information on the vulnerabilities and only slipped in a warning of critical vulnerabilities several days after releasing version 8.1.2, in which the problems have been fixed.
More precise information from independent service providers such as iDefense and Tipping Point is now available. According to their reports, the problems are the result of incorrect implementation of JavaScript in the Adobe Reader EScript plugin. An insecure method allows low level access to objects, which in turn allows execution of malicious code. Disabling JavaScript in these products remedies the problem. According to iDefense, this also offers protection from multiple buffer overflows in other JavaScript methods, which also allow execution of malicious code on users' systems. iDefense doesn't give precise figures for the number of buffer overflows, but the exploits apparently make use of precisely these bugs. Adobe was informed of the vulnerabilities in October.
There is also a vulnerability in Reader when loading the "Security Provider" library for cryptography. Reader apparently fails to properly check the path, thereby loading arbitrary files with the same name as the library from the current directory. If an attacker has control of that directory, for example on an SMB or WebDAV server, he can inject malicious code.
The first crafted PDF files were spotted on an Italian forum on 19th January. On opening the file, an embedded script downloads a variant of the Zonebac trojan from an IP address in the Netherlands. In addition, crafted banners have also been used to try to distribute the PDF files to users. The trojan apparently contacts the doginhispen.com and skitodayplease.com servers.
The rate of detection of the crafted files by anti-virus software is currently modest. Only F-Secure, McAfee, Microsoft, Norman and Symantec detected two of the three sample files available to heise Security. The exploit bears names including W32.Pidief. Users should update to version 8.1.2 of Adobe Reader or Acrobat as soon as possible.
See also:
- Adobe Reader Security Provider Unsafe Libary Path Vulnerability, security advisory from iDefense.
- Adobe Reader and Acrobat JavaScript Insecure Method Exposure Vulnerability, security advisory from iDefense.
- Adobe Reader and Acrobat Multiple Stack-based Buffer Overflow Vulnerabilities, security advisory from iDefense.
- Adobe Acrobat Javascript for PDF Integer Overflow Vulnerability, security advisory from ZDI.
(ehe)