Adobe confirms zero-day exploit bypasses Adobe Reader sandbox

The attacks are highly sophisticated and likely part of an important cyberespionage operation, a Kaspersky Lab researcher says

A recently found exploit that bypasses the sandbox anti-exploitation protection in Adobe Reader 10 and 11 is highly sophisticated and is probably part of an important cyberespionage operation, the head of the malware analysis team at antivirus vendor Kaspersky Lab said.

The exploit was discovered Tuesday by researchers from security firm FireEye, who said that it was being used in active attacks. Adobe confirmed that the exploit works against the latest versions of Adobe Reader and Acrobat, including 10 and 11, which have a sandbox protection mechanism.

"Adobe is aware of reports that these vulnerabilities are being exploited in the wild in targeted attacks designed to trick Windows users into clicking on a malicious PDF file delivered in an email message," the company said in a security advisory published Wednesday.

Adobe is working on a patch, but in the meantime users of Adobe Reader 11 are advised to enable the Protected View mode by choosing the "Files from potentially unsafe locations" option under the Edit > Preferences > Security (Enhanced) menu.

The exploit and the malware it installs are super high-level, according to Costin Raiu, director of Kaspersky Lab's malware research and analysis team. "It's not something you see every day," he said Thursday.

Judging by the sophistication of the attacks, Raiu concluded that they must be part of an operation of "huge importance" that "would be on the same level with Duqu."

Duqu is a piece of cyberespionage malware discovered in October 2011 that's related to Stuxnet, the highly sophisticated computer worm credited with damaging uranium enrichment centrifuges at Iran's nuclear plant in Natanz. Both Duqu and Stuxnet are believed to have been created by a nation state.

The latest exploit comes in the form of a PDF document and attacks two separate vulnerabilities in Adobe Reader. One is used to gain arbitrary code execution privileges and one is used to escape from the Adobe Reader 10 and 11 sandbox, Raiu said.

The exploit works on Windows 7, including the 64-bit version of the operating system, and it bypasses the Windows ASLR (address space layout randomization) and DEP (Data Execution Prevention) anti-exploitation mechanisms.

When executed, the exploit opens a decoy PDF document that contains a travel visa application form, Raiu said. The name of this document is "Visaform Turkey.pdf."

The exploit also drops and executes a malware downloader component that connects to a remote server and downloads two additional components. These two components steal passwords and information about the system configuration, and can log keystrokes, he said.

The communication between the malware and the command-and-control server is compressed with zlib and then encrypted with AES (Advanced Encryption Standard) using RSA public-key cryptography.

This type of protection is very rarely seen in malware, Raiu said. "Something similar was used in the Flame cyberespionage malware, but on the server side."

This is either a cyberespionage tool created by a nation state or one of the so-called lawful interception tools sold by private contractors to law enforcement and intelligence agencies for large sums of money, he said.

Kaspersky Lab doesn't yet have information about this attack's targets or their distribution around the world, Raiu said.

Reached via email on Wednesday, FireEye's senior director of security research, Zheng Bu, declined to comment on the attack's targets. FireEye published a blog post with technical information about the malware on Wednesday, but didn't reveal any information about victims.

Bu said that the malware uses certain techniques to detect if it's being executed in a virtual machine so it can evade detection by automated malware analysis systems.

Join the Good Gear Guide newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags online safetysecurityadobeFireEyeDesktop securityExploits / vulnerabilitiesspywaremalwarekaspersky labintrusion

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?