Yet Another Exploited PDF in the Wild
Published:
November 10 2008, 10:24 PM
by
Methusela Cebrian Ferrer
As mentioned in my previous post Prevalence of Exploited PDFs, over the past months CA ISBU has seen consistent, recurring attacks on malware explicitly designed to exploit PDF vulnerabilities – this mainly involves the 'Collab.collectEmailInfo()' function and misusing the URI 'mailto'. Today, another strain joins the group.
Adobe Security Bulletin released an update last week, fixing the critical vulnerability CVE-2008-2992 found in Adobe PDF Reader’s JavaScript engine. The flaw was specifically found in a weak implementation of JavaScript’s 'util.printf()' function, where an attacker can send a series of strings long enough to cause a stacked-based buffer overflow. An attacker can then execute arbitrary code on the system; unfortunately with the same level privileges as the user who’s running the vulnerable version of Adobe Reader.
A proof-of-concept code was immediately published on various channels displaying a good number of hits; almost immediately after this, attackers took advantage of the vulnerability, as shown in the latest exploited or trojanized PDF sample we received:
Adobe Reader 9 and Acrobat 9 are not affected by this vulnerability. However, users running Adobe Reader 8.1.2 and earlier versions should immediately update. Please see the relevant Adobe security bulletin:
http://www.adobe.com/support/security/bulletins/apsb08-19.htm
Furthermore, CA’s Anti-Virus solutions detect these malicious PDF files as PDF/Utilf and PDF/CVE-2008-2992!exploit.