Zero-day season is far from over as reports indicate that an exploit was found targeting zero-day vulnerabilities for certain versions of Adobe Reader. This discovery came on the heels of the recent Adobe Flash Player incident that occurred last week.
In the related samples we gathered, the exploit is disguised as a .PDF file (detected by Trend Micro as TROJ_PIDIEF.KGM), which is crafted to target still unpatched vulnerabilities (CVE-2013-0640, CVE-2013-0641) in Adobe PDF Reader versions 9, 10, and 11. Once executed, it drops the .DLL file TROJ_INJECT.CPX along with the non-malicious file %User Temp%\Visaform Turkey.pdf. The said file is dropped as a way to hoodwink users into thinking that the specially crafted .PDF file is non-malicious.
However, in the exploit sample we analyzed, we noticed that it also drops malicious .DLL file designed for 64-bit machines (detected by Trend Micro as TROJ64_INECT.CPX). The people behind this threat may have included this 64-bit malware in an attempt to evade detection by anti-malware programs.
To address this issue, Adobe is currently working on a security advisory. The software vendor promises to release updates to address this issue. For the latest developments regarding this incident, readers may check Adobe’s blog.
Java, Internet Explorer, Adobe Flash Player, and now, Adobe Reader – just two months into 2013, we have already witnessed high-profile cases in which attackers used zero-day exploits to execute their schemes. Java, in particular, had several bouts with zero-day exploits this January alone. Unfortunately, this incident won’t be the last of its kind. Threat actors are known to incorporate such exploits in their schemes because they target unresolved vulnerabilities, leaving intended victims and users alike with little or no defense.
In our Annual Report for 2012 for example, we cited several zero-day vulnerabilities in Java 7 and Internet Explorer incorporated in widely distributed attacks like the Blackhole Exploit Kit. Adobe Reader was also one of the applications most used by exploit kits, along with other applications with plug-in functionalities like Internet Explorer, Adobe Acrobat and Java.
To prevent this attack, we highly discourage users from opening unknown .PDF files or those acquired from unverified sources.
Trend Micro Smart Protection Network detects and deletes the exploit used in this attack and the corresponding dropped files. Trend Micro Deep Security protects users from this zero-day exploit via 1004133 – Heuristic Detection Of Malicious PDF Documents. OfficeScan with Intrusion Defense Firewall (IDF) plugin users can also apply this rule to protect users from the malicious .PDF file.
We will update you for any developments regarding this incident.
Update as of Feb. 18, 11:46 PM PST
Adobe announced that they are working on fixes to address this issue, promising to release the security update within “the week of February 18, 2013”. More details can be found in Adobe’s security bulletin.
Update as of Feb. 21, 1:42 AM PST
Adobe has released security updates to address this issue. Users are advised to apply these security fixes the soonest.