Just after Adobe released its out-of-band patch for CVE-2010-2862, we discovered a malware exploiting a new zero-day vulnerability in the wild. Similar to the iOS PDF jailbreak vulnerability and CVE-2010-2862, this zero day occurs while Adobe Reader is parsing TrueType Fonts. We’ve analyzed and confirmed that the vulnerability affects the latest Adobe Reader, Version 9.3.4.
This zero-day vulnerability is a typical stack buffer overflow; exploitation of this issue is expected to be relatively easy. Although the latest version of Reader has been compiled with stack protection (/GS), the exploit uses an Return Oriented Exploitation (ROP) technique to bypass /GS protection and data execution prevention (DEP).
We saw a similar technique used to exploit an older Adobe TIFF parsing vulnerability. All this seems to point to the fact that ROP is gaining wider acceptance by malware writers to bypass DEP and existing stack protections.
McAfee Labs is coordinating with Adobe PSIRT, and we’ve provided them with additional details on the bug. The Adobe team is actively working on this issue, although there is no patch available at the time of writing this blog. Adobe Acrobat users are urged to update their security definitions for the various products.
McAfee protection to date: