Adobe issues advisory on new PDF vulnerability – patch due March 11 (UPDATE 3)by Steve Ragan - Mar 5 2009, 23:18
New attack vectors for this vulnerability are starting to crop up. Perhaps Adobe should push the patch out sooner than the 11th.
The newest Proof-of-Concept, thanks to Didier Stevens, explains how the PDF vulnerability can be exploited with no interaction on the part of the end user.
Using Windows Explorer Shell Extensions, Stevens created a direct path to exploitation that can be triggered by merely selecting a malicious PDF file. No need to open it, just click on it once, or hover over it with the mouse.
If the malicious file is in a folder and the Thumbnail option is set, the exploit could be triggered as well.
More information is here. (Video included)
There is more information on the recent PDF vulnerability discovered by the Shadowserver Foundation and confirmed by Adobe.
The vulnerability research team at Sourcefire (of Snort fame) have issued a patch on their own for the Adobe PDF issue. This patch is not official, and ONLY for version 9 of Adobe Reader. If you are on earlier verions, such as version 8, then you will have to wait for a solution. More details of the patch can be found here.
Original story is below:
A new vulnerability in Adobe’s Acrobat Reader 9 and Acrobat 9, as well as earlier versions, has been discovered by the Shadowserver Foundation. Adobe issued an official advisory on Friday, and said it expects to patch the flaw on March 11, with updates to earlier versions to follow soon after.
“A critical vulnerability has been identified in Adobe Reader 9 and Acrobat 9 and earlier versions. This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system. There are reports that this issue is being exploited,” Adobe stated in the advisory.
PDF files are a popular target for online criminals, as they are almost universal methods of documentation and communication within both the business and private communities.
“The potential of an exploit like this is only limited by the imagination [of] malicious users,” said Jonathan Leopando of Trend Micro. “It spreads the same way normal PDF files can be distributed - either as an e-mail attachment, or downloaded from Web sites.”
On Thursday, the Shadowserver Foundation went public with details on the vulnerability, including the fact it is being actively exploited in a limited scale.
“Right now we believe these files are only being used in a smaller set of targeted attacks,” the foundation outlined. “However, these types of attacks are frequently the most damaging and it is only a matter of time before this exploit ends up in every exploit pack on the Internet. As a result we are also not going to provide any specific details on how the exploit works despite the fact that information is known.”