Adobe PDF Zero-Day Exploit Discovered in the Wild

Just after Adobe released its out-of-band patch for CVE-2010-2862, we discovered a malware exploiting a new zero-day vulnerability in the wild. Similar to the iOS PDF jailbreak vulnerability and CVE-2010-2862, this zero day occurs while Adobe Reader is parsing TrueType Fonts. We’ve analyzed and confirmed that the vulnerability affects the latest Adobe Reader, Version 9.3.4.

This zero-day vulnerability is a typical stack buffer overflow; exploitation of this issue is expected to be relatively easy. Although the latest version of Reader has been compiled with stack protection (/GS), the exploit uses an Return Oriented Exploitation (ROP) technique to bypass /GS protection and data execution prevention (DEP).

We saw a similar technique used to exploit an older Adobe TIFF parsing vulnerability. All this seems to point to the fact that ROP is gaining wider acceptance by malware writers to bypass DEP and existing stack protections.

McAfee Labs is coordinating with Adobe PSIRT, and we’ve provided them with additional details on the bug. The Adobe team is actively working on this issue, although there is no patch available at the time of writing this blog. Adobe Acrobat users are urged to update their security definitions for the various products.

McAfee protection to date:

• McAfee Network Security Platform: Coverage provided under the signature 0x40293c00, UDS-HTTP: Adobe Reader Unspecified Buffer Overflow
• DAT files: Coverage for known exploits provided in the 6099 DAT release under the signature Exploit-PDF.ps.gen
• Host IPS: Generic buffer overflow protection provides partial coverage
• Foundstone: The FSL package of September 8 includes a vulnerability check to assess if your systems are at risk