Lockheed Warns Adobe of New Exploit in the Wild

Wednesday, December 07, 2011

Headlines

69dafe8b58066478aea48f3d0f384820

The computer incident response team at defense contractor Lockheed has reported they detected an active exploitation of vulnerabilities in Adobe's Reader and Acrobat applications, and the alert has been confirmed by the Defense Security Information Exchange.

The vulnerability involves the application's Universal 3D file format (U3D) and could allow attackers the ability to remotely take over an infected system.

"This U3D memory corruption vulnerability (CVE-2011-2462) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that the vulnerability is being actively exploited in the wild in limited, targeted attacks against Adobe Reader 9.x on Windows. Adobe Reader X Protected Mode and Acrobat X Protected View mitigations would prevent an exploit of this kind from executing," an Adobe security advisory stated.

Affected versions include:

  • Adobe Reader X (10.1.1) and earlier 10.x versions for Windows and Macintosh
  • Adobe Reader 9.4.6 and earlier 9.x versions for Windows, Macintosh and UNIX
  • Adobe Acrobat X (10.1.1) and earlier 10.x versions for Windows and Macintosh
  • Adobe Acrobat 9.4.6 and earlier 9.x versions for Windows and Macintosh

According to an accompanying blog post by Adobe's Brad Arkin, senior director of product security, all versions listed are vulnerable, but the only active exploit detected thus far is only targeting Reader 9.x for Windows, and the company will focus on mitigation for that version first.

"The reason for addressing this issue quickly for Adobe Reader and Acrobat 9.4.6 for Windows is simple: This is the version and platform currently being targeted. All real-world attack activity, both in this instance and historically, is limited to Adobe Reader on Windows. We have not received any reports to date of malicious PDFs being used to exploit Adobe Reader or Acrobat for Macintosh or UNIX for this CVE (or any other CVE)," Arkin wrote.

"Focusing this release on just Adobe Reader and Acrobat 9.x for Windows also allows us to ship the update much earlier. We are conscious of the upcoming holidays and are working to get this patch out as soon as possible to allow time to deploy the update before users and staff begin time off. Ultimately the decision comes down to what we can do to best mitigate threats to our customers," Arkin continued.

Arkin further summarized Adobe's plan of action in response to the new vulnerability:

  • We are planning to release an out-of-cycle security update for Adobe Reader and Acrobat 9.x for Windows no later than the week of December 12, 2011.
  • Because Adobe Reader X Protected Mode and Adobe Acrobat X Protected View would prevent an exploit targeting this vulnerability from executing, we are planning to address this issue in Adobe Reader and Acrobat X for Windows with the next quarterly security update on January 10, 2012.
  • The risk to Macintosh and UNIX users is significantly lower. We are therefore planning to address this issue in Adobe Reader and Acrobat X and earlier versions for Macintosh as part of the next quarterly update on January 10, 2012. An update to address this issue in Adobe Reader 9.x for UNIX is planned for January 10, 2012.

Meanwhile, Adobe recommends the following mitigation advice:

"Adobe Reader X Protected Mode and Adobe Acrobat X Protected View would prevent an exploit of this kind from executing. To verify Protected View for Acrobat X is enabled, go to: Edit >Preferences > Security (Enhanced) and ensure 'Files from potentially unsafe locations' or 'All files' with 'Enable Enhanced Security' are checked. To verify Protected Mode for Adobe Reader X is enabled, go to: Edit >Preferences >General and verify that 'Enable Protected Mode at startup' is checked."

Exploitation of Adobe products, including the company's Flash player and the ubiquitous PDF file have been a major concern for security professionals for some time. The problems are compounded by the fact that most antivirus software does not detect malicious code in PDF documents.

Earlier this year a vulnerability in Adobe applications opened the door for attackers in the hack of security vendor RSA. In the targeted attack, hackers sent emails to a select group of RSA employees which contained an attachment.

The attachment contained malware that exploited a flaw in the Adobe software that enabled the attackers to use a version of the Poison Ivy remote administration tool (RAT) to glean authentication credentials that allowed access to other systems in the company's network.

The RSA attack subsequently led to breaches at Lockheed Martin, L-3 Communications and Northrop Grumman, all of which appear to have been the result of data that was stolen in the RSA SecurID hack.

In July, researchers from security provider F-Secure also discovered a sample of a malicious PDF this year that may be used in a targeted attack against defense contractor employees.

The attack exploited a vulnerability in Javascript that allows malicious code to be embedded in the file, which then infects the victim's computer and can create a backdoor that hackers can use to access systems and glean sensitive information.

Last month F-Secure's Mikko Hypponen urged organizations to reconsider the continued use of Adobe Reader given the tendency for attackers to exploit the application's frequent vulnerabilities. Hypponen made the comments during the recent PacSec 2011 conference in Tokyo.

Possibly Related Articles:
15013
Adobe RSA malware Javascript Vulnerabilities Attacks Exploits Headlines Alert Lockheed F-Secure Mikko Hypponen
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.