GetIcon() Flaw in Adobe Software Exploited with PDF File
Security researchers at Symantec, an antivirus provider, have found that a malevolent PDF file is exploiting the getIcon() security flaw in Adobe Acrobat and Reader.
According to researchers, the flaw enables attackers to run malicious software remotely on computers with vulnerable Adobe Reader and Acrobat. However, the exploitation of the flaw is possible with user interaction i.e. the end-user must view a maliciously crafted file or access a malware ridden website.
The security researchers have also said that an interesting issue regarding the flaw is that no known attack code for it has yet been created. Two different commercial proof-of-concept attack codes have been developed, but they are neither available for the public, nor have they become exposed in the wild. The security companies behind the proof-of-concepts are Core Security Technologies and VUPEN Security.
After studying the exploit, Sean Hittel at Symantec, says that one more interesting aspect is that it contains the most current Neosploit encoder, which is a sophisticated exploit framework that helps in compromising computers accessing websites, as reported by Softpedia on April 10, 2009. Although, according to some exploit developers, the Neosploit has disappeared, Symantec's honeypots have been regularly receiving repeated updates of the same, states the researcher.
Moreover, another international security vendor Trend Micro has also spotted and publicized the same exploit. Advanced threat researcher J.J. Reyes for Trend Micro announces that cyber crooks have made their PDF exploits up-to-date to add the getIcon() flaw (CVE-2009-0927) that the company currently identifies as TROJ_PIDIEF.OE, as reported by Softpedia on April 10, 2009.
Thus, security experts are urging users to upgrade the vulnerable software - Adobe Acrobat and Reader to any of the versions, 9.1, 8.1.3 or 7.1.1 according to the editions they have deployed.
Ultimately, according to them, Adobe Reader is now hackers' preferred target since it is widely adopted and has many flaws that allow execution of remote code.
» SPAMfighter News - 22-04-2009