Malicious PDF Files Used to Exploit Adobe Vulnerabilities

According to security firm ESET, its researchers have discovered some malicious PDF files that exploit vulnerabilities in PDF reader software with over 25,000 attacks through these files were identified during the 1st-2nd week of October 2008.

Further, the reports said that spammers are exploiting a pair of security flaws in Adobe Acrobat Reader to execute an arbitrary code on victims' computers as well as load malware. The security flaws identified are CVE-2007-5659 and CVE-2007-5020.

Of these, the CVE-2007-5659 flaw causes multiple heap overflows in Adobe's Acrobat 8.1.1 and older versions and in Adobe Reader to allow attackers to remotely execute an arbitrary code via a PDF file with lengthy arguments related to unspecified JavaScript methods. However, the higher versions of Acrobat Reader beyond 8.1.1, are not susceptible to the attacks. On the other hand, the CVE-2007-5020 flaw allows attackers to remotely execute an arbitrary code through a crafty PDF file.

ESET further revealed that the PDF files are obfuscated with multiple layers in attempts to escape detection by anti-viruses. The foremost layer in the PDF file can be compressed using 'zlip' compression that malware writers use to conceal their JavaScript from inspection.

Security specialists said that the JavaScript then examines the Reader's version, creates a shellcode, followed by arranging all that in memory. Subsequently, it attacks the vulnerable utility. Often the attackers obfuscate the shellcode with the help of another fold of JavaScript obfuscation.

The specialists also stated that after successful delivering a malicious PDF exploit, the victim's IP address is kept in memory for some time. However, during this "ban time", there is no repeat delivery of the exploit to that IP, creating an additional burden in handling the problem.

According to Ian Amit, Director of Security Research firm Aladdin Knowledge Systems, by analyzing the current statistics and extrapolating it on the Neosploit code base, the increase in the exploit of PDF flaws could surely be accounted to Neosploit, as reported by SCMagazine on September 26, 2008.

Users are advised to apply patches and refrain from opening unexpected PDF attachments.

Related article: Malicious Scripts with Zero-byte Padding can Pass Undetected

» SPAMfighter News - 24-10-2008

 

All SPAMfighter products offer a free trial!

SPAMfighter box shot

SPAMfighter is a free spam filter for Outlook, Outlook Express,Windows Mail, Windows Live Mail and Thunderbird.

SLOW-PCfighter

Optimize your Slow PC for better performance. Try FREE scan now

Full disk or slow disk?
Disk space recovery
and disk optimization. Try FULL-DISKfighter free


Spam Filter for Exchange Server

SPAMfighter Exchange Module is a Spam filter for Exchange server - Free 30 days trial.

Remove spyware

Remove Spyware with SPYWAREfighter - Free 30 days trial

Antivirus software

Antivirus software for your Windows PC - Free 30 days trial

<<<  >>> 

Compatible with Windows 7

Works with Windows Vista

SPAMfighter is

Microsoft Gold Certified Partner

Intel Software Partner