In February, Adobe issued its 7th security bulletin in 2010. The updates resolve two holes in Adobe Reader and Acrobat 9.3.0 and 8.2.0 and earlier versions. Among these, a critical flaw (CVE-2010-0188) potentially allows hackers to take remote control of the affected computers. By the time of the update’s issue, exploit code and detailed information about the hole had not been disclosed.
In early and middle March, however, lots of malicious codes embedded in .pdf files exploiting the above hole have been found. The exploit code has also been published on the Internet.
The hole stems from Libtiff, an open source code library used by Adobe Reader and Acrobat to process .TIFF images (Tagged Image File Format). What’s worth saying is that this hole is one of those found in Libtiff in 2006 (CVE-2006-3459).
The hole is due to the use of memcpy() function with the copied byte exceeding the destination buffer’s size. This will lead to a stack overflow, and the returned address will be changed.
Also, there is a more applicable attack method which is already used in the aforementioned exploit code. Specifically, the data overflown on the stack are specially crafted so that when being referred to, these data bytes will be arranged in a way that forms a special code to search and copy the shellcode lying somewhere on the process’s memory and then execute it.
After memcpy() function call, the stack is overflown with specially crafted data in the input file.
In fact, these are the two exploit methods used by the already spread malwares. These exploit codes all successfully run on Windows XP SP2 and Windows XP SP3. Specially, the threats not only come from Adobe Reader and Acrobat but from Adobe Plugin for web browsers as well. This means malwares could be easily executed when users click on a link to malicious .pdf file. That’s why this hole is rated critical and has become hackers’ favored attack target in recent time.
The patch for this vulnerability has been released since February, so users should immediately update to Adobe Reader 8.2.1 or 9.3.1 to protect their computers.
Author: Le Manh Tung