Trend Micro researchers recently came across samples that exploited a new zero-day vulnerability in Adobe Reader 9.1.2 and Adobe Flash Player 9 and 10.
The exploit arrives as a PDF file embedded with Flash objects and malicious binary files. The Flash object contains a shellcode that allocates heaps of blocks in a system’s memory.
The exploits uses a technique known as heap spraying. Once a user opens a specially crafted PDF file, two binary executables are dropped and executed on his/her system. The .PDF file is detected by Trend Micro as TROJ_PIDIEF.ANQ or TROJ_PIDIEF.ANP, while the dropped files are detected as BKDR_HAYDEN.K, BKDR_HAYDEN.L, TROJ_AGENT.AXWS, and TROJ_AGENT.IAAK.
Since Adobe has not yet provided patches for the said vulnerabilities, users are advised to take extreme caution when viewing .PDF files. A workaround has been offered, but it also disables all Flash objects embedded in PDF files – which may or may not be acceptable, depending on one’s usage patterns. Patches from Adobe are not expected until the end of the month.
July has been an exceptionally busy for zero-day exploits. Early in the month, an exploit involving ActiveX controls was used to spread FAKEAV malware; just days ago this was joined by an exploit affecting Mozilla Firefox.
Share this article