Security researchers at ESET and Microsoft have reported finding two zero-day exploits that were used in a single malicious PDF document. This document was exploiting two previously unknown vulnerabilities, including a remote-code execution vulnerability in Adobe Reader and a privilege escalation vulnerability in Microsoft Windows.
“The use of the combined vulnerabilities is extremely powerful, as it allows an attacker to execute arbitrary code with the highest possible privileges on the vulnerable target, and with only the most minimal of user interaction,” the researchers write. “APT groups regularly use such combinations to perform their attacks, such as in the Sednit campaign from last year.”
Related Microsoft Could Turn Out to Be a GDPR Winner – Windows Maker Pledges to Extend EU Privacy Rights Worldwide
Microsoft and Adobe both have since released corresponding patches to these two security exploits. The Microsoft research team clarified that the bugs did not affect latest modern platforms like Windows 10.
“The first exploit attacks the Adobe JavaScript engine to run shellcode in the context of that module. The second exploit, which does not affect modern platforms like Windows 10, allows the shellcode to escape Adobe Reader sandbox and run with elevated privileges from Windows kernel memory.
This malicious PDF was found in VirusTotal, but Microsoft said that the company hasn’t “observed actual attacks perpetrated using these exploits.” Here’s the list of products that are affected:
- Acrobat DC (2018.011.20038 and earlier versions)
- Acrobat Reader DC (2018.011.20038 and earlier versions)
- Acrobat 2017 (011.30079 and earlier versions)
- Acrobat Reader DC 2017 (2017.011.30079 and earlier versions)
- Acrobat DC (Classic 2015) (2015.006.30417 and earlier versions)
- Acrobat Reader DC (Classic 2015) (2015.006.30417 and earlier versions)
- Windows 7 for 32-bit Systems Service Pack 1
- Windows 7 for x64-based Systems Service Pack 1
- Windows Server 2008 for 32-bit Systems Service Pack 2
- Windows Server 2008 for Itanium-Based Systems Service Pack 2
- Windows Server 2008 for x64-based Systems Service Pack 2
- Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
- Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows and Adobe zero-days discovered and patched before attackers had time to deliver them
In a rare timely collaboration, security researchers were actually able to patch these bugs up before they could be exploited by attackers. “Finding and neutralizing a double zero-day exploit before an attacker had a chance to use it was an amazing result of the great collaboration between ESET, Microsoft, and Adobe security researchers,” Microsoft wrote.
Related Adobe Sends Second Wave of Security Patches Fixing Critical Flaws
The exploit was apparently in an early development stage and the PDF didn’t actually deliver a malicious payload but appeared to be proof-of-concept (PoC) code. The malicious PDF sample embedded a JavaScript code that controlled the entire exploitation process. “Once the PDF file is opened, the JavaScript code is executed,” ESET wrote in its own disclosure.
Patches are now available for both Adobe and Microsoft users:
- APSB18-09
- CVE-2018-8120
– For technical details, head over to ESET and Microsoft.