Patched Flaw; Unpatched System Brings Attacks

Friday, February 24, 2012 @ 02:02 PM gHale

Patches often release to the marketplace, but the next big hurdle is for users to actually install them. Not jumping over that hurdle is keeping quite a few attackers in high clover as a patched vulnerability from 2010 continues to pay off for the bad guys.

One recent case shows a string of attacks against an Adobe Reader vulnerability from 2010.

RELATED STORIES
IT Vendors Slower to Patch
Google Looks at HTTPS Security
Vulnerability Leader: Google
Patched Adobe Still has Victims

The vulnerability was a flaw in Reader and Acrobat that an attacker could exploit remotely. At the time of the first reports about the bug, there were active attacks going on against it and exploit code was circulating online. But the CVE-2010-0188 bug didn’t turn into one of those huge things that involve widespread malware attacks. Adobe patched it quite a while ago.

There are still attacks ongoing against the bug, which affects Reader and Acrobat on all of the major platforms, said researchers at Symantec. The attacks involve some highly obfuscated JavaScript and the end result is once the resultant shell code is on the victim’s machine, it attempts to download a malicious executable from a remote server.

The attacks against this bug have been coming in waves for the last month or so, and Symantec researchers said they have seen more than 10,000 attacks over the last couple of weeks.

“The JavaScript was embedded in an XFA object (object 8 in the above figure) in an Acrobat Form,” said Jason Zhang of Symantec. “The JavaScript manipulated a subform field by using a reference to an embedded element, ‘qwe123b’ in the example. When such an exploited PDF sample is loaded into the vulnerable PDF reading application, the XFA initialize activity is triggered and the embedded JavaScript will be called. After manually de-obfuscating it, we were able to extract the hidden JavaScript.”

Once the JavaScript runs, it does a few things, including checking the version of the vulnerable application that’s on the targeted machine. That version number then converts into a huge integer and the JavaScript builds an exploit and shell code specific to that version. It then sprays the shell code into the application’s memory and is off and running.

The shell code includes an obfuscated URL to which the code attempts to connect and then download an executable.



Leave a Reply

You must be logged in to post a comment.