Flaw Attracts Attacks In PDF Reader And Acrobat

Adobe Systems is warning users about a new vulnerability being exploited in the wild. Anti-malware researchers at McAfee have confirmed that they found evidence of at least one exploit.

According to Adobe, the vulnerability can be used to “cause a crash and potentially allow an attacker to take control of the affected system.” The bug exists in Adobe Reader 9.3.4, and earlier, for Windows, Macintosh and Unix systems. It also exists in Adobe Acrobat up to version 9.3.4 for Mac and Windows.

Adobe did not provide technical details of the vulnerability but it is thought to be the way the applications handle TrueType fonts. An advisory by security specialist Secunia advised users not to open untrusted files. It said that the issue is caused by “a boundary error within the font parsing in CoolType.dll and can be exploited to cause a stack-based buffer overflow by … tricking a user into opening a specially crafted PDF file.”

Buffer Overflow Corrupts Stack

McAfee researchers have been looking more closely and liken it to an old attack that exploited the way Adobe parsed TIFF graphics files.

The latest version of Adobe Reader has been compiled with stack protection guarding the pointers to code to be executed. The new exploit uses a return oriented programming (ROP) exploit to bypass this protection, as well as data execution prevention (DEP), and inject malicious code into the execution process.

“Unfortunately, there are no mitigations we can offer,” a spokesperson told eWEEK in an email. “However, Adobe is actively sharing information about this vulnerability (and vulnerabilities in general) with partners in the security community to enable them to quickly develop detection and quarantine methods to protect users until a patch is available. As always, Adobe recommends that users follow security best practices by keeping their anti-malware software and definitions up-to-date.”

Adobe officials were unable to say when a patch would be available but confirmed that the company would continue to provide users with updated information. They also thanked Mila Parkour of Contagiodump [Ewww, is that a real name?- Editor] for reporting the flaw and working on this issue with them.

Adobe, like other software vendors has had to issue patches on a regular basis.