Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Malicious PDF Leads to Discovery of Adobe Reader, Windows Zero-Days

Researchers at ESET recently came across a malicious PDF file set up to exploit two zero-day vulnerabilities affecting Adobe Reader and Microsoft Windows.

Researchers at ESET recently came across a malicious PDF file set up to exploit two zero-day vulnerabilities affecting Adobe Reader and Microsoft Windows.

The malicious document leverages a privilege escalation flaw in Windows (CVE-2018-8120) and a remote code execution vulnerability in Adobe Reader (CVE-2018-4990). CVE-2018-8120 is one of the two zero-day vulnerabilities fixed by Microsoft with its May 2018 Patch Tuesday updates, while CVE-2018-4990 was addressed by Adobe on May 14 with the release of updates that fix nearly 50 other issues.

By combining the two flaws, attackers can execute arbitrary code with elevated privileges with minimal user interaction – specifically, opening the malicious PDF.

In order to make it more difficult for attackers to execute arbitrary code on a system running its Reader software, Adobe has implemented a sandbox. Exploiting only CVE-2018-4990 allows code execution within the sandbox, but combining it with the Windows privilege escalation flaw makes it possible to escape the sandbox and execute the code in kernel mode.

It’s worth noting that CVE-2018-8120 only affects Windows 7 and Windows Server 2008 – newer versions of the operating system include security features that prevent attacks.

ESET discovered the malicious PDF in a public malware repository (likely VirusTotal). However, the company has not shared any information on who may have found the flaws and who the attackers may have planned on targeting.

“Even though the sample does not contain a real malicious final payload, which may suggest that it was caught during its early development stages, the author(s) demonstrated a high level of skills in vulnerability discovery and exploit writing,” explained Anton Cherepanov, the ESET researcher credited by Microsoft and Adobe for reporting the flaws.

ESET has published a blog post containing technical information on both vulnerabilities.

Advertisement. Scroll to continue reading.

At the time of writing, 18 of the 59 antivirus engines on VirusTotal detect the files discovered by ESET as a generic Trojan or exploit.

Using two zero-day exploits in a single file is not unheard of. Last year, the Russia-linked threat actor known as APT28, Pawn Storm, Fancy Bear, Sofacy, Sednit and Strontium leveraged an Office RCE flaw (CVE-2017-0262) and a Windows privilege escalation (CVE-2017-0263) to deliver malware.

Related: Adobe Patches Flash Zero-Day Exploited by North Korean Hackers

Related: Triton Malware Exploited Zero-Day in Schneider Electric Devices

Related: Microsoft Patches Zero-Day Vulnerability in Office

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

More People On The Move

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.