Adobe today released a patch for two vulnerabilities being exploited in the wild that enabled attackers to pull off the first confirmed sandbox escape against Adobe Reader.
The vulnerabilities (CVE-2013-0640 and CVE-2013-0641) could cause a crash and allow an attacker to remotely run malware on a compromised computer. They affect Adobe Reader and Acrobat XI (11.0.01 and earlier), X (10.1.5 and earlier) and 9.5.3 and earlier for Windows and Mac OS X systems.
Exploits were discovered by security company FireEye; spear phishing messages were sending victims infected PDF files purporting to be a travel visa application form called Visaform Turkey. Most of the messages were written in Italian. Researchers at Kaspersky Lab were among the first to confirm the sandbox escape, adding that the exploit worked against a fully patched 64-bit Windows 7 machine and Adobe Reader 11.0.1.
The sandbox, which first appeared in Adobe Reader X, contains execution of any suspicious application activity to this layer of defense. In Reader, the sandbox is known as Protected Mode and it is there where PDF processing and parsing, javascript execution and other rendering is executed. Also, according to Adobe, any processes that need to execute outside the sandbox must do so through a trusted proxy.
“The goal of this design aspect is to process all potentially malicious data in the restricted context of the PDF principal and not in the context of the fully privileged user principal,” Adobe said.
FireEye said the exploits were adept at avoiding detection by security software, and were successful in bypassing DEP and ASLR exploit protections by using return oriented programming (ROP) techniques.
The exploits would drop a pair of executables, including a malicious DLL; this library installed the malware called Trojan.666, which was the name attached to an image file associated with the exploit. The Trojan opened a backdoor to a command and control infrastructure; from there, attackers would be able to install additional payloads and malicious files.
Adobe, which gave the vulnerabilities its highest critical rating for Windows and Mac OS X, had originally recommended that users enable the Protected View feature in Reader and Acrobat as a temporary mitigation. Protected View differs from Protected Mode in that it is a read-only mode that blocks the execution of files until the user OKs them as trustworthy. According to the Adobe developer site, Protected View leverages the sandbox implementation already available in Adobe Reader. Users can choose this setting by following Edit > Preferences > Security (Enhanced).
IT managers and administrators have been buried in patch hell during the first two months of this year; a rough count of Microsoft, Oracle and Adobe vulnerabilities addressed this year alone hovers near 220. This week alone, Apple, Oracle and now Adobe have sent out high priority security bulletins addressing a variety of previously unreported vulnerabilities.