Dangerous Adobe Reader zero-day raises the bar

A new PDF exploit that uses a good certificate and fancy programming thumbs its nose at Windows 7's two big new security measures

1 2 Page 2
Page 2 of 2

In this case, the zero-day author found that a Unicode-related module called icucnv36.dll doesn't use ASLR. Bingo! Opening an infected PDF with Adobe Reader can get you pwned in Windows 7 -- no mean feat.

That's only part of the bad news.

Kaspersky analyst Roel Schouwenberg found that the infected PDF drops an executable file in the Windows %temp% folder. That malicious executable file is signed with a legitimate VeriSign certificate from a real credit union in Missouri. Since the program is signed with a legitimate certificate, Windows 7 will let it pass. That's the same technique used by the Stuxnet worm earlier this year. This particular dropped program attempts to download more malicious code from a server at academyhouse.us.

In short, this new zero-day incorporates some old-fashioned buffer overflow techniques with solid JavaScript programming, incorporating new ROP techniques and a stolen certificate to infect Windows 7 systems. Whoever put this puppy together really knows their stuff.

So far I've only seen one working sample of this exploit. Mila Parkour in her contagio blog shows an email message with an attached infected file. The message is aimed at golfers: "In these golf tips David Leadbetter shows you some important principles Cause & Effect, which have been helpful to thousands of amateur golfers around world." It comes with an infected file called Golf Clinic.pdf. The email message appears to hail from Poland.

With Metasploit actively working on replicating the technique, you can bet that infected PDF files will be all the rage in the next week or two.

If you ever needed a good reason to get rid of Adobe Reader, you now have it. This particular infection vector is so Acrobat/Reader-specific that folks who use Foxit Reader, or any other PDF reading alternative, should be in good shape -- at least, for this round.

This article, "Dangerous new Adobe Reader zero-day raises the bar," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog.


Copyright © 2010 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2