Adobe Reader, Acrobat Under Attack

Zero-day vulnerabilities in the most recent versions of Adobe Reader and Acrobat are being actively exploited by attackers, who are emailing malicious PDFs to targets to remotely compromise their PCs.

That warning comes from researchers at security firm FireEye, which said it's provided copies of the exploit code to Adobe. "A PDF zero-day is being exploited in the wild, and we observed successful exploitation on the latest Adobe PDF Reader 9.5.3, 10.1.5, and 11.0.1," according to a security warning posted Tuesday by FireEye. "Upon successful exploitation, it will drop two DLLs. The first DLL shows a fake error message and opens a decoy PDF document, which is usually common in targeted attacks. The second DLL in turn drops the callback component, which talks to a remote domain."

Adobe said it's investigating the alleged zero-day bugs. "Adobe is aware of a report of a vulnerability in Adobe Reader and Acrobat XI (11.0.1) and earlier versions being exploited in the wild," according to a brief Adobe vulnerability report released Tuesday. "We are currently investigating this report and assessing the risk to our customers. We will provide an update as soon as we have more information."

[ Can the government help with cybersecurity? Read White House Cybersecurity Executive Order: What It Means. ]

No additional details about the zero-day vulnerabilities have been publicly released, and it's not clear if the bugs allow attackers to bypass the sandbox built into Reader and Acrobat. But until the vulnerability gets patched, FireEye recommended that users avoid opening any PDF files of unknown origin.

Adobe Tuesday also patched known Flash Player vulnerabilities in Shockwave Player, Flash Player, and Adobe AIR, by releasing updates for Windows, Mac OS X, Linux and Android. That marked the second time in less than a week that Adobe, which normally only releases quarterly patch updates, released "out of band" patches to mitigate in-the-wild exploits of bugs in its products. In addition, Oracle still plans to release further patches on February 19.

In other words, 2013 is already turning out to be a banner year for bug spotting. For starters, new flaws recently surfaced not just in Flash and Adobe Reader and Acrobat, but also Internet Explorer and Java.

Microsoft Tuesday patched 57 vulnerabilities in its products, as part of its regularly scheduled, monthly patch release, and many of the bugs have been labeled as critical. "[The] critical vulnerabilities all potentially enable remote code execution, as does the SharePoint server related bulletin rated 'important' this month," said Kurt Baumgartner, a senior security researcher at Kaspersky Lab, in a blog post. "The other vulnerabilities enable elevation of privilege and denial of service attacks. Several of the vulnerabilities have been publicly disclosed, and at least one is known to be publicly exploited."

Many security experts are advising security managers to prioritize the Internet Explorer patch, which fixes 13 vulnerabilities -- privately reported to Microsoft and not yet detailed publicly -- which attackers could use to remotely exploit code on vulnerable machines. "Despite the bugs being privately disclosed, Microsoft is warning that exploitation in the wild is imminent," said Paul Ducklin, head of technology for Sophos in the Asia Pacific region, in a blog post. Indeed, expect attackers to be working overtime to reverse-engineer the patches, which would allow them to craft attacks that exploit Windows PCs that haven't been patched.

One critical Microsoft patch addresses flaws in the Windows media codec, which could be exploited by crafting a malicious media file. Another fix targets vulnerabilities in the RTF file format that could be exploited by crafting a malicious RTF file, which if opened in Microsoft Word or WordPad would allow an attacker to compromise the PC. "Microsoft warns that this is likely to be exploited in the wild within 30 days," said Ducklin.

While those vulnerabilities affect clients, another critical vulnerability exists on Microsoft Exchange servers with Oracle's Outside In technology. The vulnerabilities could be exploited by attackers to remotely compromise the server or create a denial of service.

Security researchers have also published further details of the bugs that were patched last week in Adobe's Flash Player. According to a blog post from Kaspersky Lab researchers Sergey Golovanov and Alexander Polyakov, the vulnerabilities (designated CVE-2013-0633) are being actively exploited by "so-called 'legal' surveillance malware created by the Italian company HackingTeam." The Italian company's surveillance software is called RCS (Remote Control System), aka DaVinci, and has been used "against human rights activists and political dissidents from Africa, South America and the Middle East," according to the researchers.

The Kaspersky Lab researchers said they cataloged six different ways that RCS has been installed on targets' computers, and four of them employ zero-day vulnerabilities. "Interestingly ... two of the 0-days appear to have been created by the French offensive security company Vupen," said the researchers. "The link was also previously pointed out by Citizen Lab's report, which says it's unclear if the exploits used with HackingTeam's malware have been purchased from Vupen, or just engineered in parallel."

Chaouki Bekrar, CEO and head of research for Vupen, dismissed as "defamatory allegations and unproven claims" the Kaspersky Lab suggestion that his company may have sold the zero-day vulnerabilities to HackingTeam. "We did not develop nor sell any of these exploits," Bekrar said via email. "In the vulnerability research field, it often happens that many unlinked researchers, groups or companies work on similar flaws or exploits without knowledge of the others, we call this vulnerability overlaps and it's very common and usual."

Note: Story updated to correct error in number of flaws fixed.