The Big Bullseye On Adobe

By Larry Seltzer  |  Posted 2008-06-06 Print this article Print

As the company's software becomes more important to many companies, the attack surface of their products grows.

It's not news that Adobe and their products are a major target of vulnerability research and malicious hackers. This is a trend that will only grow. If they were still doing such things, we could soon expect the Month of Adobe Bugs.

The major security story of a couple weeks ago was initially reported as a zero day, although it turned out that it was effectively patched by the current version. Still, Flash is very widely deployed and is therefore one of the top targets of malicious programmers.

If you believe Adobe's numbers, Flash users update fairly aggressively, especially in the developed world. Perhaps it's still not aggressively enough, as attackers are hot on Adobe's tail.

We learned of a few examples recently from F-Secure. One fairly pedestrian exploit downloads and executes a Trojan Horse program. It's interesting because it uses obfuscation of the shell code, although very simple obfuscation. A more thorough job might have been more difficult to detect.

Of course, Acrobat is also widely-deployed and heavily relied on by large corporations, lawyers, governments, etc., and it is also a major vehicle for real-world attacks, not just empty vulnerability reports. F-Secure reported about a week ago on a malicious PDF they received from VirusTotal. This one is a hoot.

The PDF uses a known vulnerability in Acrobat (they don't say whether the vulnerability is patched, but I suspect not since it triggered on their test system). It drops two files in the .temp folder, an .exe and a second PDF. It runs the .exe and launches the PDF, which appears to be a Department of Homeland Security Form G-235A. The form is a red herring to distract you from the fact that the .exe is a rootkit and reports back through port 80 to malicious servers in China.

How do they make these malicious PDF files? F-Secure stumbled on that as well. The attackers use a tool like GenMDB. You give the tool the PDF you want to trojanize, the .exe you want to embed in it, and the platform on which you want it to run. GenMDB is an odd name; it must have been adapted from a tool to trojanize MDB (Microsoft Access) files, and this version should be GenPDF.

GenMDB raises the whole issue of cross-platform attacks. Since Flash and PDF are cross platform, there have been many vulnerabilities that are cross platform themselves. Since they usually have to execute shell code in order to do something, they end up being platform specific and therefore Windows specific-although I can imagine ways around that. For instance, did you know that PDFs can contain JavaScipt? It might be possible to determine the platform in JavaScript and dispatch the proper exploit code all within the PDF. In any event, F-Secure told me that GenMDB has only one option in the platform listing, XP+Acrobat8.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel