12.08.11

New Zero-Day Attack in Adobe Products (CVE-2011-2462)

Recently, Adobe has released a new security advisory, APSA11-04, alerting users about a critical vulnerability in Adobe Reader and Acrobat.

The U3D memory corruption vulnerability (CVE-2011-2462) could cause a crash and potentially allow an attacker to take control of the affected system. This means that the malicious files could be downloaded or dropped on the affected system.

Adobe is in the process of finalizing a fix for the issue and expects to make available an update for Adobe Reader 9.x and Acrobat 9.x for Windows no later than the week of December 12, 2011. Because Adobe Reader X Protected Mode and Adobe Acrobat X Protected View would prevent an exploit of this kind from executing, Adobe is currently planning to address this issue in Adobe Reader X and Acrobat X for Windows with the next quarterly security update for Adobe Reader and Acrobat, currently scheduled for January 10, 2012. Adobe is planning to address this issue in Adobe Reader and Acrobat X and earlier versions for Macintosh as part of the next quarterly update scheduled for January 10, 2012. An update to address this issue in Adobe Reader 9.x for UNIX is planned for January 10, 2012.

Affected software versions

  • Adobe Reader X (10.1.1) and earlier 10.x versions for Windows and Macintosh
  • Adobe Reader 9.4.6 and earlier 9.x versions for Windows, Macintosh and UNIX
  • Adobe Acrobat X (10.1.1) and earlier 10.x versions for Windows and Macintosh
  • Adobe Acrobat 9.4.6 and earlier 9.x versions for Windows and Macintosh

*Note: Adobe Reader for Android and Adobe Flash Player are not affected by this issue.

PDF/Pidief.AJL is the detection for specially crafted PDF files capable of exploiting vulnerability in Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh, Adobe Reader 9.4.6 and earlier 9.x versions for UNIX, and Adobe Acrobat X (10.1.1) and earlier versions for Windows and Macintosh.

This 0-day vulnerability was discovered by Lockheed Martin’s Computer Incident Response Team and was found that it is part of a targeted attack.

The maliciously-crafted PDF contains a highly obfuscated JavaScript code. The screenshot in Figure 1 shows the decoded JavaScript that is embedded on the PDF:[Figure 1 – Malicious Exploit Code]

The payload of this specially-crafted PDF is embedded on the PDF.

Inspecting inside the file, you may notice that even though the file seems to contain another executable, you cannot spot the MZ header or PE header. That’s because it encrypts the file using a simple XOR. The purpose of this routine is to bypass anti-virus engines that scan embedded executable.

[Figure 2 – Malicious Executable Embedded]

Reference:

Total Defense detections related to this attack are PDF/Pidief.AJL and Win32/Sykipot.A.

Adobe Reader X Protected Mode and Adobe Acrobat X Protected View would prevent an exploit of this kind from executing.

  • To verify Protected View for Acrobat X is enabled, go to: Edit >Preferences > Security (Enhanced) and ensure “Files from potentially unsafe locations” or “All files” with “Enable Enhanced Security” are checked.
  • To verify Protected Mode for Adobe Reader X is enabled, go to: Edit >Preferences >General and verify that “Enable Protected Mode at startup” is checked.

To help protect your machines from being infected, never open PDF files from untrusted sources. This especially applies while the vulnerability remains unpatched. And of course, always update your Total Defense Security Product signature files!