Hackers exploiting Acrobat Reader zero-day flaw since December
Source: Bleeping Computer
Overview
Attackers have been exploiting a zero‑day vulnerability in Adobe Reader using maliciously crafted PDF documents since at least December.
Discovery and Technical Details
Security researcher Haifei Li (founder of the sandbox‑based exploit‑detection platform EXPMON) uncovered the attacks. Li described the threat as a “highly sophisticated, fingerprinting‑style PDF exploit” targeting an undisclosed Adobe Reader flaw.
Key technical points:
- The exploit works on the latest version of Adobe Reader without any user interaction beyond opening the PDF.
- It leverages privileged Acrobat APIs
util.readFileIntoStreamandRSS.addFeedto steal data from compromised systems. - The exploit can enable subsequent RCE/SBX attacks, potentially giving the attacker full control of the victim’s system.
“This ‘fingerprinting’ exploit has been confirmed to leverage a zero‑day/unpatched vulnerability that works on the latest version of Adobe Reader without requiring any user interaction beyond opening a PDF file,” Li warned.
“Even more concerning, this exploit allows the threat actor to not only collect/steal local information but also potentially launch subsequent RCE/SBX attacks, which could lead to full control of the victim’s system.”
Li has also disclosed a long list of vulnerabilities in Microsoft, Google, and Adobe software, many of which have been exploited in zero‑day attacks.
Russian‑language Phishing Lures
Threat‑intelligence analyst Gi7w0rm, who also examined the Adobe Reader exploit, found that the malicious PDFs contain Russian‑language lures referencing ongoing events in the Russian oil and gas industry.
Mitigation and Recommendations
- User guidance: Until Adobe releases a patch, users should avoid opening PDF documents from untrusted sources.
- Network defenses: Monitor and block HTTP/HTTPS traffic that includes the string “Adobe Synchronizer” in the User‑Agent header.
- Community alert:
“This zero‑day/unpatched capability for broad information harvesting and the potential for subsequent RCE/SBX exploitation is enough for the security community to remain on high alert. This is why we have chosen to publish these findings immediately so users can stay vigilant,” Li added.
Adobe’s Response
BleepingComputer contacted Adobe for comment on Li’s findings; a response was not immediately available.