Threat Management, Malware, Vulnerability Management

PDF exploit built to combine zero-day Windows and Adobe Reader bugs

A privilege escalation vulnerability that was patched last week in Microsoft Windows and an Adobe Reader remote code execution bug that was fixed yesterday in a product update were both jointly targeted by a PDF-based zero-day exploit prior to their discovery, researchers from ESET reported today.

In a blog post describing the dual exploit, Anton Cherepanov, an ESET senior malware researcher, states the malicious PDF sample was found uploaded to a public repository, but did not yet contain a final payload, meaning it may have been spotted while still under early-stage development.

"The use of the combined vulnerabilities is extremely powerful, as it allows an attacker to execute arbitrary code with the highest possible privileges on the vulnerable target, and with only the most minimal of user interaction," states Cherepanov, noting that the combined use of more than one vulnerability typically signifies the work of an APT group such as Russia's Fancy Bear cyber outfit.

When opened, the PDF sample first embeds JavaScript code in Adobe Reader to exploit the critical double free memory corruption vulnerability CVE-2018-4990 -- one of 47 Acrobat and Reader bugs that Adobe repaired via security updates on May 14. The exploit enables attackers to read and write in memory, allowing them to execute shellcode that executes a malicious PE file.

But for this RCE exploit to be truly devastating, the attackers next have to bypass the Abode Reader protective sandbox and compromise the entire computer -- and that's where the Windows OS bug comes into play. The elevation of privilege vulnerability, CVE-2018-8120, occurs in the Win32k component when it fails to properly handle objects in memory, and can be exploited to run arbitrary code in kernel mode, giving attackers total control.

Cherepanov is credited with finding the Microsoft issue and was given co-credit along with Microsoft researcher Matt Oh for reporting the Adobe vulnerability.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.