It’s not every day someone develops a malware attack that, with one click, exploits separate zero-day vulnerabilities in two widely different pieces of software. It’s even rarer that a careless mistake burns such a unicorn before it can be used. Researchers say that’s precisely happened to malicious PDF document designed to target unpatched vulnerabilities in both Adobe Reader and older versions of Microsoft Windows.
Modern applications typically contain “sandboxes” and other defenses that make it much harder for exploits to successfully execute malicious code on computers. When these protections work as intended, attacks that exploit buffer overflows and other common software vulnerabilities result in a simple application crash rather than a potentially catastrophic security event. The defenses require attackers to chain together two or more exploits: one executes malicious code, and a separate exploit allows the code to break out of the sandbox.
A security researcher from antivirus provider Eset recently found a PDF document that bypassed these protections when Reader ran on older Windows versions. It exploited a then-unpatched memory corruption vulnerability, known as a double free, in Reader that made it possible to gain a limited ability to read and write to memory. But to install programs, the PDF still needed a way to bypass the sandbox so that the code could run in more sensitive parts of the OS.
The solution was to combine a separate attack that exploited a previously unknown privilege-escalation vulnerability in Microsoft OSes predating Windows 8. As the name suggests, privilege-escalation vulnerabilities allow untrusted code or users who normally have limited system rights to gain nearly unfettered access to the most sensitive resources of an OS. With that, a mere click on the PDF was all that was necessary for it to install malware of an attackers’ choice on many Windows 7 and Server 2008 computers.
“This is pretty rare to have an exploit in a popular piece of software that is combined with a zero-day for the operating system in order to escape sandboxing protection,” Jérôme Segura, lead malware intelligence analyst at Malwarebytes, told Ars. “The skill level involved to pull this off suggests that the attacker was quite advanced.”
One of the few other times in recent memory that researchers have unpacked an in-the-wild exploit that exploited two different components was early last year when a malicious Microsoft Word file targeted staffers of Emmanuel Macron, who at the time was a candidate to be President of France (he has since won). According to Eset, the DOCX file exploited a remote code execution vulnerability in Word and a local privilege escalation flaw in Windows. Researchers said the document was used to install surveillance malware used by Fancy Bear, the name given to a hacking group researchers widely believe is sponsored by the Russian government.
Oddly, the PDF this time around was found on VirusTotal, the Google-owned malware-detection service. The body of the document said only “PDF sample.” Both Malwarebytes and Eset suspect attackers uploaded the file during development to test if various antivirus providers could detect it.
Rather than installing malware, the file simply downloaded and installed a calculator program (see the image to the right). Before the attackers could use the PDF widely, if at all, Eset found it and reported the vulnerabilities to Microsoft and Adobe. Microsoft fixed the privilege-escalation bug 11 days ago. Adobe patched Reader on Monday. With that, the fruits of this advanced person or group were spoiled.
While the exploit required time and skill to develop, its value was limited for at least two reasons. First, improved defenses Microsoft introduced with Windows 8 prevented the privilege-escalation exploit from working. Second, Malwarebytes AV was able to detect the malicious PDF and stop it from working, and it’s likely other AV programs had the same ability. Still, the PDF could probably have been useful in campaigns that targeted people who used older computers.