Cyber-Attack Dodges Sandbox to Hit Adobe Reader, Windows XP

A technical analysis shows that a cyber-attack currently hitting systems in the wild is using two separate vulnerabilities to break out of the Adobe sandbox to infect Windows systems.

A cyber-attack currently hitting systems on the Internet uses two vulnerabilities—one in Adobe Reader and another in Windows—to compromise Windows XP and 2003 systems and download code, according to a technical analysis of the attack published by security firm Trustwave on Dec. 11.

The attack, first detected by threat-protection firm FireEye in late November, uses a software flaw to escape from the security container, also known as the sandbox, which was implemented by Adobe to protect users of its software. A second part of the attack exploits a still-unpatched vulnerability in Windows XP and Windows 2003 to gain greater privileges so the attacker can install code on the compromised machine and take control of it.

While attacks that chain together several exploits—especially those that incorporate a privilege escalation—are not uncommon, the technique shows that these particular attackers are skilled, Ziv Mador, director of security research for Trustwave, told eWEEK.

"It shows the very high sophistication of the people who identified these vulnerabilities and turned them into attacks," he said. "It shows that they are highly technical to find vulnerabilities in different products and combine them into a reliable exploit."

Attackers continue to use more sophisticated techniques to get around defensive technologies put in place by operating system vendors and software developers. Microsoft incorporate techniques such as data execution protection (DEP) and address space layout randomization (ASLR) to make exploitation of software flaws more difficult and less reliable.

A number of software developers, including Google and Adobe, also have incorporated sandboxing, which digitally cordons off suspicious code from the operating system. Yet attackers have found ways to escape the sandbox and run code despite Microsoft's mitigations.

The latest attack also comes as Microsoft prepares to end support for Windows XP in April 2014. While Windows XP is a dozen years old, it continues to account for 31 percent of operating systems in use today, according to Net Applications, a company that tracks the market share of various Internet technologies.

Microsoft has not yet issued a patch for the issue, but the company advised that companies could make changes to eliminate the threat of the vulnerability on affected systems.

"These limited, targeted attacks require users to open a malicious PDF file," Dustin Childs, a spokesperson for Microsoft's Trustworthy Computing group, said in the blog post. "The issues described by the advisory cannot be used to gain access to a remote system alone."

Adobe PDF files, Microsoft Office documents and Oracle Java applets continue to be used by attackers to compromise systems in targeted attacks.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...