Adobe released an advisory yesterday suggesting a manual mitigation for zero-day vulnerabilities in its Reader and Acrobat products that are being actively exploited in the wild. The exploit is the first sandbox escape in Adobe Reader X and above.
FireEye, which reported the vulnerability to Adobe on Tuesday, has released more details about the exploit calling it Trojan.666 based on the name of an image base found in the attack.
Adobe said it is working on an emergency patch for the popular document reader. In the meantime, it urges users to enable the product’s Protected View feature, which is off by default.
Protected View was introduced into Acrobat in version 10.1 and Reader in 11.0 for Windows; it is a read-only mode that blocks executable files until the user decides the document is trustworthy. According to the Adobe developer site, Protected View leverages the sandbox implementation already available in Adobe Reader. Users can choose this setting by following Edit > Preferences > Security (Enhanced).
Adobe said there are two vulnerabilities (CVE-2013-0640 and CVE-2013-0641) affecting Adobe Reader and Acrobat XI (11.0.01 and earlier), X (10.1.5 and earlier) and 9.5.3 and earlier for Windows and Mac OS X systems. Active exploits are using malicious PDFs attached to phishing messages purporting to be a travel visa application called Visaform Turkey.pdf.
Roel Schouwenberg, senior security researcher at Kaspersky Lab said yesterday that the exploit being circulated for this vulnerability is the first confirmed sandbox escape affecting Reader X or higher. He said researchers confirmed the exploit worked against 64-bit Windows 7 machine and Adobe Reader 11.0.1.
FireEye shared more details on the attack last night. Javascript—containing variables in Italian—embedded in the PDF uses string manipulation techniques to avoid detection. It checks for the version of Reader in place on the compromised machine and creates shellcode accordingly. The attacks are successful in using return oriented programming (ROP) techniques to bypass Address Space Layout Randomization (ASLR) and Data Execution Protection (DEP) exploit protections, FireEye said.
“To bypass ASLR and DEP, the shellcode is in a format of ROP chain. It will create a new DLL file on the disk and execute it by calling LoadLibraryA(),” the FireEye advisory said. “Upon loading the malicious library, it will enter a long sleep and ensure that the thread has not crashed because the whole stack in the thread is already manipulated for creating a ROP chain.”
The malicious library installs the payload, a downloader posing as a language bar addin dropped into the registry for persistence. There are a number of tricks the malware tries in order to subvert analysis and detection, FireEye said. The malware is also capable of uninstalling itself or entering a long sleep mode.
Once it established communication with a command and control server, additional payloads are downloaded, including a pair of DLLs: libarext32.dll and libarhlp32.dll and a data file called kmt32.pod, the contents of which have not been determined so far, FireEye said.