[ISN] Critical Zero-Day PDF Bug Compromises Windows PCs

From: InfoSec News (alerts@private)
Date: Thu Sep 20 2007 - 21:59:40 PDT


http://www.eweek.com/article2/0,1895,2186101,00.asp

By Lisa Vaas
September 20, 2007

A zero-day PDF vulnerability in Adobe's Acrobat Reader has come to light 
that can lead to Windows boxes getting taken over completely and 
invisibly, according to a security researcher.

"All it takes is to open a [maliciously rigged] PDF document or stumble 
across a page which embeds one," said researcher Petko D. Petkov, aka 
pdp, in a blog posting on Sept. 20.

Petkov said he's closing the season with this highly critical flawa 
season that's included, at least in the past two weeks, his discovery of 
a slew of serious vulnerabilities in meta media files: a QuickTime flaw 
that can be used to hijack Firefox and Internet Explorer; a simple 
method of loading HTML files into Windows Media Player files; and an 
easy, six-step method by which to penetrate Second Life accounts with an 
IE bug.

This PDF vulnerability is even worse than the QuickTime flaw, Petkov 
said. Mozilla provided a Firefox workaround for the QuickTime flaw 
earlier the week of Sept. 17, but it can still be used to compromise 
Internet Explorer, as security researcher Thor Larholm demonstrated in a 
posting on Sept. 19. Apple hasn't yet released any details on the status 
of a QuickTime fix.

Paul Henry, vice president of technology and evangelism at Secure 
Computing, based in San Jose, Calif., said in an interview with eWEEK 
that PDF vulnerabilities have a strong advantage when it comes to users 
being tempted into opening them, giving this vulnerability the potential 
to become a "huge" attack vector. "From a social engineering standpoint, 
it's easier to attach a PDF to e-mail and assume [the target will] open 
it. If you've got a request to launch a video conversation from someone 
you never heard of, chances are you won't do it. Or you won't click on a 
video online if you don't know where it's from. But from a social 
engineering point of view, this is deeper."

For its part, Symantec, based in Cupertino, Calif., on Sept. 20 warned 
customers using its DeepSight Alert Services that Adobe Acrobat is 
subject to "an unspecified vulnerability when handling malicious PDF 
files," allowing remote users to take over targeted machines.

The scenario is that an attacker rigs a PDF file designed to exploit the 
flaw. He or she distributes it via e-mail or through other means, or 
hosts it on a Web page. When a user opens the rigged PDF file with a 
vulnerable application, the user's machine can be loaded with malware 
that makes it open to a takeover.

Symantec said it's not aware of any working exploits out yet.

Still, Henry warned, the PDF threat is real. "The ability to use PDFs to 
install malware and steal personal information from remote PCs is here," 
he said in a statement. "Readers should be cautioned to only open PDF 
files from senders they explicitly trust."

Given that this latest meta media file flaw with PDF documents is so 
critical, given also that PDFs are used throughout the business world, 
and given the fact that he expects Adobe will take a while to fix its 
closed-source product, Petkov said he's refraining from publishing any 
POC (proof-of-concept) code.

"You have to take my word for it. The POCs will be released when an 
update is available," he said.

This has miffed some. "If you have nothing else to publish than 'Please 
don't open PDF Docs, but I can't tell you why,' it would be a better 
choice [to] shut up instead [of] bringing no information," wrote 
somebody with the handle of Jan Heisterkamp.

Others are willing to take Petkov's word that the flaw is too critical 
for a POC. As it is, Petkov's credibility is shored up in no small part 
by five PDF POCs he put out in January.

One of those PDF vulnerability POCs automatically opened a folder 
displaying the victim's c: drive on his desktop; another displayed the 
file path to the temporary stored PDF and revealed the user name; and 
Petkov also posted self-contained, local, Universal PDF XSS (cross-site 
scripting) flaws: one for Internet Explorer, one for Firefox and one for 
Opera.

In spite of Petkov's having refrained from putting out a POC for the 
latest PDF flaw, somebody's sure to piece together an exploit or POC out 
of the other five, Henry said.

"Everybody and his brother has the other five POCs he put together. With 
a little tweaking I'm sure they'll put them together pretty quickly," he 
said. "I would have to assume [the six PDF vulnerabilities are related]. 
He's done a lot of work attaching JavaScript to media files. We have to 
assume this latest trick involves a change in something with the media 
files, with JavaScript. It's not rocket science."

Henry said Secure Computing, for one, has been sounding the alarm about 
PDF since Petkov's original postings.

"We raised the flag in January when [Petkov] discovered the initial 
[PDF] vulnerabilities and publicly released the POC code," he said. 
"Shortly after that we saw a huge upsurge in PDF attachments in spam. We 
all have to be cognizant that the POC is out there for potential 
vulnerabilities. This would be a very good vehicle for malicious guys to 
move code into our networks."

Adobe, also based in San Jose, said within the past few weeks that the 
five vulnerabilities in the January POCs represented a low threat risk. 
But with Petkov's most recent finding, Henry said, "We see an 
announcement that at least this current version is absolutely not low 
risk."

"I think this will create problems for us," Henry said. "I'm [warning] 
people plans need to be put in place to quickly raise awareness in the 
organization that there might be a risk in PDF files. We're informing 
users to not open files that a) come from someone they don't know and b) 
they aren't expecting."

Petkov wrapped up his most recent, most terse PDF posting by telling 
Adobe's representatives that they can contact him "from the usual 
place." Adobe representatives hadn't been able to provide information on 
the company's awareness of, or response to, the vulnerability by the 
time this story posted.

Petkov's advice is to keep away from PDF files, local or remote. He said 
other viewers besides Adobe's Acrobat Reader might be vulnerable as 
well. He has verified the PDF issue on Windows XP Service Pack 2 with 
the latest Adobe Reader 8.1, although previous versions are also 
affected, he said.


__________________________________________________________________      
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - www.csiannual.com



This archive was generated by hypermail 2.1.3 : Thu Sep 20 2007 - 22:13:22 PDT