Adobe: attackers can hack Windows 7 with this critical Acrobat PDF flaw

Adobe has updated its Monday advisory that an exploit for one critical flaw affecting its Acrobat Acobat PDF reader exists in the wild. Worryingly, the flaw can be combined with a just-patched Windows flaw to take control of an affected machine.  

Adobe on Monday released fixes for 47 flaws affecting Acrobat products and initially said it was not aware of attacks in the wild for any of the flaws. However, today Adobe updated its security bulletin with a comment that it is “aware of a report that an exploit for CVE-2018-4990 exists in the wild”. 

The “critical" Adobe Reader flaw was reported by ESET researcher Anton Cherepanov, who also found an “important" flaw that Microsoft patched in its May Patch Tuesday update, which is being tracked as CVE-2018-8120.  

Adobe’s updated bulletin brings its advisory in line with information in Microsoft’s advisory that said there were attacks in the wild against a previously undisclosed elevation of privilege flaw affecting Windows.

Cherepanov today filled in the gaps in a blog post revealing that the source of the two vulnerabilities was a malicious PDF document that combined both flaws to exploit a remote code execution vulnerability in Adobe Reader and elevate privileges on a vulnerable Windows machine.   

As with the “Double Kill” Internet Explorer exploit that Microsoft also patched in May, Cherepanov suggests the combined attack on Adobe Reader and Windows was the work of state-sponsored hackers. 

While these exploits are typically reserved for high-value targets, there are concerns that Double Kill and the Acrobat Reader/Windows flaws will be appealing to cybercriminals for indiscriminate attacks on average users. 

According to Cherepanov, the Reader/Windows attack was a “rare case” that attackers could develop exploits that bypassed the Acrobat Reader Protected Mode sandbox without finding a vulnerability in the underlying operating system. The sandbox is meant to thwart attempts to compromise a computer running Adobe Reader.

“Usually, sandbox bypass is achieved by exploiting a vulnerability in the operating system itself. This is a rare case when the attackers were able to find vulnerabilities and write exploits for the Adobe Reader software and the operating system,” Cherepanov wrote. 

The attack on Acrobat Reader relies on a specially crafted JPEG2000 image to run malicious JavaScript code in Adobe’s JavaScript engine. 

After exploiting the Reader flaw, the attacker needs to target the Windows flaw which allowed an attacker to run arbitrary code in kernel mode and take control of the system once they’d logged on to the affected machine.  

“An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” wrote Microsoft. 

On the upside, ESET reported the flaws to Adobe and Microsoft after discovering a sample PDF that exploit flaws in both firm’s software. The sample however did not contain an actual malicious payload. This could mean that the bug was caught in its early stages of development. 

The other mitigating factor is that only Windows 7 and earlier are affected, which bodes well for Microsoft’s argument that consumers and enterprise should upgrade to Windows 10 for better security.