Researchers from FireEye claim to have discovered a new security vulnerability in Adobe Reader that is being actively exploited in the wild. If the report proves to be true, it would be the first documented case of an attack getting around Reader’s sandbox protections.
The Next Web’s Emil Protalinski reported, “A new Adobe Reader 0-day vulnerability has been discovered, and is already being exploited in the wild. Currently, disabling Adobe Reader and using another PDF reader is the only way to protect your computer. The finding comes from FireEye, which says the critical vulnerability allows criminals to inject malicious code into a system. The company says it has confirmed successful exploitation on the latest versions of Adobe Reader, including 9.5.3, 10.1.5, and 11.0.1.”
Computerworld’s Lucian Constantin explained, “The exploit drops and loads two DLL files on the system. One file displays a bogus error message and opens a PDF document that’s used as a decoy, the FireEye researchers said. Remote code execution exploits regularly cause the targeted programs to crash. In this context, the fake error message and second document are most likely used to trick users into believing that the crash was the result of a simple malfunction and the program recovered successfully. Meanwhile, the second DLL installs a malicious component that calls back to a remote domain, the FireEye researchers said.”
Ars Technica’s Dan Goodin noted, “If true, the attacks are notable because they pierce security defenses Adobe engineers designed to make malware attacks harder to carry out…. So far, there have been no documented in-the-wild exploits that have successfully bypassed the Reader sandbox. The protection is designed to minimize the damage of attacks that exploit buffer overflows and other types of software bugs by isolating Web content from sensitive parts of the underlying operating system. As a result, the application will typically crash when flaws are exploited, but attackers remain unable to remotely execute malicious code on vulnerable computers.”
On its company blog, Adobe said, “Adobe is aware of a report of a vulnerability in Adobe Reader and Acrobat XI (11.0.1) and earlier versions being exploited in the wild. We are currently investigating this report and assessing the risk to our customers. We will provide an update as soon as we have more information.”