Chris Mosby at myITforum.com

Adobe PDF Zero-Day Exploit Discovered in the Wild

Wednesday September 8, 2010 at 1:55 pm CST
Posted by Xiao Chen

No Comments
Trackback

Just after Adobe released their Out of Band patch for CVE-2010-2862, We discovered a malware exploiting a new 0-day vulnerability in the wild. Similar to the iOS PDF jailbreak vulnerability and CVE-2010-2862, this 0day vulnerability also occurs while Adobe Reader is parsing TrueType Fonts. We’ve analyzed and confirmed that the vulnerability affects the latest Adobe Reader (v9.3.4).

This 0day vulnerability is a typical stack buffer overflow vulnerability and exploitation of this issue is expected to be relatively easy. Although the latest version of Adobe Reader has been compiled with stack protection (/GS), the exploit uses an Return Oriented Exploitation (ROP) technique to bypass /GS protection and DEP.

We saw a similar technique used to exploit an older Adobe TIFF parsing vulnerability. All this seems to point to the fact that ROP is gaining wider acceptance by malware writers to bypass DEP and existing stack protections.

McAfee Labs is coordinating with Adobe PSIRT currently and we’ve provided them with additional details on the bug. The Adobe team is actively working on this issue. There is no patch available at the time of writing this blog. Adobe Acrobat users are urged to update their security definitions for the various products.

McAfee protection to date:

• McAfee Network Security Platform: Coverage provided under the signature 0×40293c00, UDS-HTTP: Adobe Reader Unspecified Buffer Overflow
• DAT files: Coverage for known exploits provided in the 6099 DAT release under the signature Exploit-PDF.ps.gen
• Host IPS: Generic Buffer Overflow protection provides partial coverage
• FoundStone: The FSL package of September 8 includes a vulnerability check to assess if your systems are at risk