In February of 2009, zero-day exploits targeting versions of Adobe Reader and Acrobat were found by security researchers. Symantec was one of the involved companies and offers a good explanation of the exploit:

“Symantec Security Response has received several PDF files that actively exploit vulnerabilities in Adobe Reader. While examining the JavaScript code used for “heap-spraying” in these PDFs, we can see the same comments that show that these separate exploit attempts come from the same source!

It seems likely that the people behind this threat are using targeted attacks against high-ranking people within different organizations, for example, locating the CEO’s email address on the company website and sending a malicious PDF in the hope that their malicious payload will run. Once the machine is compromised, the attackers may gain access to sensitive corporate documents that could be costly for companies breached by this threat.”

Being zero day there initially wasn’t a fix for the vulnerability, so security researchers recommended disabling JavaScript in all working Web browsers.

Adobe agrees

Adobe acknowledged the problem in a 19 February 2009 security bulletin:

“A critical vulnerability has been identified in Adobe Reader 9 and Acrobat 9 and earlier versions. This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system. There are reports that this issue is being exploited.”

How the exploit works

As to how the malware exploits the vulnerability, Symantec goes on to explain:

“The vulnerability is caused by an error in parsing particular structures within the PDF format. Once the malicious document is opened it will trigger the vulnerability. The JavaScript payload then sprays the heap with the malicious shellcode in an attempt to increase the chances of a successful exploit. If the exploit is successful, a malicious binary will be dropped and executed on the victim’s system.”

The malicious binary of choice is Backdoor.Trojan, a back door that’s part of GHoST, a malware toolkit originally from China. Backdoor.Trojan has been around for several years and is used to view the desktop, record keystrokes, and allow remote access of the infected machine.

Adobe releases fix

Back in February, Adobe warned that it would take until 10 March 2009 to get patches ready for version nine of Adobe Reader and Acrobat and until 18 March 2009 to prepare patches for the remaining versions. They weren’t lying as those were the exact dates the fixes came out.

Security researchers and Adobe recommend upgrading to Reader 9.1 (latest version of Reader) if at all possible, since it’s free. As for Acrobat, it’s definitely not free, so I’d recommend running the Acrobat update process. It’s located under the Help pull down.

I’d double check even if the update process is set to automatic. If it’s not set to automatic, it might be a good idea to configure it that way for future updates. Those changes can be made by first clicking on the Preferences button shown in the following slide:

A new window opens with all available setting options. The next slide shows what I use for my settings:

Final thoughts

To avoid yet another JavaScript vulnerability, please update your Adobe products. Those who dislike Adobe products also need to be cautious. There seems to be some confusion as to whether other PDF readers are vulnerable to this exploit. Knowing that, it would be a good idea to see if any updates are available for alternate PDF applications. Finally, I’d recommend the use of NoScript by everyone.

TechRepublic’s IT Security e-mail newsletter (delivered every Tuesday) is a great way to keep on top of security issues related to Information Technology. Please make sure to sign up.