Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
    Digg this story   Add to  
Attackers exploit unpatched Acrobat flaw
Published: 2009-02-23

Security firms warned last week that online criminals have begun targeting victims' computers using crafted PDF files that attack a previously unknown flaw in Adobe's Acrobat document software.

The attack — which appears to have been first noticed by Symantec, the owner of SecurityFocus — does not appear to be widespread, the security firm stated in an advisory. Adobe confirmed the vulnerability and committed to releasing a fix for the issue by March 11.

"It seems likely that the people behind this threat are using targeted attacks against high-ranking people within different organizations — for example, locating the CEO’s email address on the company website and sending a malicious PDF in the hope that their malicious payload will run," Symantec said in its advisory. "Once the machine is compromised, the attackers may gain access to sensitive corporate documents that could be costly for companies breached by this threat."

Because of their ubiquity, Adobe's Acrobat and Flash software have become popular targets of security researchers, who try to find vulnerabilities to help secure software, and online criminals, who try to exploit the vulnerabilities. Last year, for example, Adobe released a software update to shutter a flaw in its Flash software that allowed attackers to overlay user interface elements over a Web page. The attack, known as clickjacking, lets the attacker lead a victim to believe they are performing one action, when they are actually doing something completely different.

The latest vulnerability in Acrobat is caused by the incorrect handling of certain elements of the PDF file format, Symantec stated in its advisory.

"Once the malicious document is opened it will trigger the vulnerability," the company said. "The JavaScript payload then sprays the heap with the malicious shellcode in an attempt to increase the chances of a successful exploit. If the exploit is successful, a malicious binary will be dropped and executed on the victim’s system."

In its advisory, Symantec recommended turning off Javascript as a workaround for the security issues. In addition, some antivirus software signatures and Snort signatures have been released for the attack.

If you have tips or insights on this topic, please contact SecurityFocus.

Posted by: Robert Lemos
    Digg this story   Add to  
Comments Mode:


Privacy Statement
Copyright 2009, SecurityFocus