Waiting for security update: Attackers targeting Adobe Reader

Security researchers are warning of attacks on Adobe Reader. Simply opening manipulated PDF files is said to be sufficient for a successful attack. Attackers can then copy files and compromise systems.

Background

A security researcher discovered the zero-day security vulnerability using the sandbox analysis tool EXPMON. He details his findings in a post. According to him, unknown attackers have been exploiting the vulnerability at least since last December. The vulnerability has not yet been assigned a CVE number, and a threat level classification is still pending.

However, according to the researcher, all signs point to critical: He states that victims only need to open a PDF document prepared by the attackers to initiate an attack. They then access the Adobe Reader APIs util.readFileIntoStream() and RSS.addFeed(), which run with high privileges. Using these, they copy files and send them to servers they control.

But there's more: According to the researcher, attackers download further malicious code modules during the attack to execute their own code and ultimately compromise computers. The extent of the attacks and who is behind them is currently unclear.

Another security researcher has analyzed PDF files used in the attack campaign. On X, he writes that they contain Russian language and discuss current events related to the oil and gas industry in Russia.

It is also currently unclear to what extent the security vulnerability affects the Acrobat PDF Reader function implemented in Microsoft's Edge browser.

Waiting for Update

It is currently unknown when a security patch will be released. The discoverer of the vulnerability states that Adobe has been contacted. Until a patch is available, one should not open PDF files from unknown sources.

(des)