UPDATE-Attackers are using malicious PDFs posing as an application for an international travel visa to exploit a zero-day vulnerability in Adobe Reader and Acrobat, a researcher at FireEye told Threatpost today. The exploit is the first to escape the sandbox included in Reader X and above.
Zheng Bu, senior director of security research at FireEye, said the attack has not yet been added to any of the popular exploit toolkits, but said that once more details are made public, that it would likely be a matter of time.
“We haven’t seen this type of attack before; it’s quite rare,” Bu said. “If you look at the indicators of compromise of these attacks and the selection of the command and control server, it’s all a bit new and not from the known hacker groups.”
Bu said FireEye discovered the exploit yesterday and communicated what it had found to Adobe, which asked the company not to disclose any information about the vulnerability. Bu would not comment on where the exploit was found, whether it was in a targeted attack against particular victims, or whom the victims may be. He also did not confirm whether the attacks are being spread via spear phishing messages.
Researchers at Kaspersky Lab said that the exploit being circulated for this vulnerability is the first confirmed sandbox escape affecting Reader X or higher.
“We can confirm the existence of a malicious PDF in the wild that’s successfully able to break out of Adobe Reader’s sandbox. We’ve seen successful exploitation on a machine running Windows 7×64 and Adobe Reader 11.0.1,” said Roel Schouwenberg, senior security researcher at Kaspersky Lab.
Adobe’s Product Security Incident Response Team (PSIRT) confirmed it is investigating FireEye’s findings.
“We are currently investigating this report and assessing the risk to our customers,” Adobe said in a statement.
FireEye said the vulnerability being exploited affects Reader 11.0.1 and earlier versions 10.1.5 and 9.5.3.
“Upon successful exploitation, it will drop two DLLs. The first DLL shows a fake error message and opens a decoy PDF document [the visa application], which is usually common in targeted attacks. The second DLL in turn drops the callback component, which talks to a remote domain,” FireEye researchers Yichong Lin, Thoufique Haq, and James Bennett wrote today in a blog post.
Bu said the exploit purports to be a visa application for a non-English speaking country and there are patterns in the malware that led researchers to conclude the attacker could have a Spanish-speaking background.
“We identified variables and patterns that makes us think the attacker is Latin or Spanish,” Bu said.
FireEye suggests not opening any PDF files until a mitigation plan is available from Adobe.
Today’s zero-day follows back to back security updates for the Adobe Flash Player and Shockwave Player. Yesterday’s regularly scheduled update for Flash Player patched 17 vulnerabilities, most of the memory corruption issues, as well as a vulnerability that could lead to information loss.
Last Friday, Adobe sent an out-of-band patch for Flash Player vulnerabilities being exploited in targeted attacks against users in strategic industries such as aerospace and manufacturing.
One of the attacks was being delivered via infected SWF Flash files attached to Microsoft Office documents, while the other over the Web and targeting Firefox and Safari on Mac OS X.
This article was updated with comments from Zheng Bu of FireEye and statement from Roel Schouwenberg.