As mentioned in my previous post Prevalence of Exploited PDFs, over the past months CA ISBU has seen consistent, recurring attacks on malware explicitly designed to exploit PDF vulnerabilities – this mainly involves the 'Collab.collectEmailInfo()' function and misusing the URI 'mailto'. Today, another strain joins the group.
Adobe Security Bulletin released an update last week, fixing the critical vulnerability CVE-2008-2992 found in Adobe PDF Reader’s JavaScript engine. The flaw was specifically found in a weak implementation of JavaScript’s 'util.printf()' function, where an attacker can send a series of strings long enough to cause a stacked-based buffer overflow. An attacker can then execute arbitrary code on the system; unfortunately with the same level privileges as the user who’s running the vulnerable version of Adobe Reader.
A proof-of-concept code was immediately published on various channels displaying a good number of hits; almost immediately after this, attackers took advantage of the vulnerability, as shown in the latest exploited or trojanized PDF sample we received:
Adobe Reader 9 and Acrobat 9 are not affected by this vulnerability. However, users running Adobe Reader 8.1.2 and earlier versions should immediately update. Please see the relevant Adobe security bulletin:
http://www.adobe.com/support/security/bulletins/apsb08-19.htm
Furthermore, CA’s Anti-Virus solutions detect these malicious PDF files as PDF/Utilf and PDF/CVE-2008-2992!exploit.