On Wednesday, Adobe posted yet another advisory for a flaw [1] in Adobe Acrobat and Reader that "could cause a crash and potentially allow an attacker to take control of the affected system." Ho hum. For the umpteenth time in the past couple of years, Adobe warns us yet again that if you open a jiggerred PDF file with Adobe Reader, the bad guys can take control of your system [2].
But there's more to the story. The untold part sends shivers down my spine.
[ Also on InfoWorld: Epic failures: 11 infamous software bugs [3]. | Master your security with InfoWorld's interactive Security iGuide [4]. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. [5] ]
Most PDF exploits work in a very well-defined, boring way. Somebody discovers how to make Adobe Reader run a JavaScript program in a way that bypasses the usual safeguards. In this particular case, the trickster put together a TrueType font that caused Adobe Reader to go nuts. TrueType fonts have data stored in a specific way, and by sticking more data in a field than it's supposed to have, Reader can be tricked into running a program hidden away inside the PDF file. That, combined with an auto-executing JavaScript program that varies depending on the version of Reader being used, put the exploit in motion.
Up to this point, the exploit's a clever buffer overflow dancer -- well designed but not particularly interesting. Now here's the scary part.
Whoever put this zero-day together figured out a way to bypass Windows 7's vaunted ASLR (Address Space Layout Randomization) and DEP (Data Execution Protection) lock-down technologies. I talked about ASLR and DEP in my July 6 blog, "Big-name Windows apps neglect security [6]." The author of this particular zero-day used a technique called ROP, or Return Oriented Programming, to allow the malware to thumb its nose at Windows 7's two big new security measures.The Metasploit blog [7] has details.
ROP relies on finding and running snippets of code in parts of Windows that haven't been locked down. The gist of it: If a programmer can run tiny pieces of code to do its dirty deeds, and the tiny pieces appear just before a Return instruction, the malware can stay in control. Peter Van Eeckhoutte has a detailed, working introduction to ROP in his Exploit Writing Tutorial Part 10: Chaining DEP with ROP - the Rubik's [TM] Cube [8].
In this case, the zero-day author found that a Unicode-related module called icucnv36.dll doesn't use ASLR. Bingo! Opening an infected PDF with Adobe Reader can get you pwned in Windows 7 -- no mean feat.
That's only part of the bad news.
Kaspersky analyst Roel Schouwenberg found that the infected PDF drops an executable file in the Windows %temp%
folder [9]. That malicious executable file is signed with a legitimate VeriSign certificate from a real credit union in Missouri. Since the program is signed with a legitimate certificate, Windows 7 will let it pass. That's the same technique used by the Stuxnet worm [10] earlier this year. This particular dropped program attempts to download more malicious code from a server at academyhouse.us.
In short, this new zero-day incorporates some old-fashioned buffer overflow techniques with solid JavaScript programming, incorporating new ROP techniques and a stolen certificate to infect Windows 7 systems. Whoever put this puppy together really knows their stuff.
So far I've only seen one working sample of this exploit. Mila Parkour in her contagio blog shows an email message with an attached infected file [11]. The message is aimed at golfers: "In these golf tips David Leadbetter shows you some important principles Cause & Effect, which have been helpful to thousands of amateur golfers around world." It comes with an infected file called Golf Clinic.pdf. The email message appears to hail from Poland.
With Metasploit actively working on replicating the technique, you can bet that infected PDF files will be all the rage in the next week or two.
If you ever needed a good reason to get rid of Adobe Reader, you now have it. This particular infection vector is so Acrobat/Reader-specific that folks who use Foxit Reader [12], or any other PDF reading alternative, should be in good shape -- at least, for this round.
This article, "Dangerous new Adobe Reader zero-day raises the bar [13]," was originally published at InfoWorld.com [14]. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog [15].
No comments:
Post a Comment