September 9, 2010

Adobe Reader 0-day vulnerability (CVE-2010-2883)

Tamas Rudnai

A new critical vulnerability has been discovered in Adobe Reader that can be exploited by malicious content. The vulnerability could crash the reader due to a stack buffer overflow bug, which then potentially allows an attacker to run malicious code on the user's computer. This vulnerability is reported to be widely exploited and the exploit has been added to MetaSploit, therefore the severity is critical:



All 9.3.4 and earlier versions of Adobe Reader are affected including Windows, Macintosh and Unix ones. The vulnerability is relying on a buffer boundary checking issue in the font parsing code in the cooltype.dll file. Adobe is currently evaluating the schedule for an update. 

The sample has been detected by many antivirus products: 



This sample checks the version of Adobe Reader and sprays different shellcodes for different versions. If it is not satisfied with the version number then it displays an alert: “Please update your PDF viewer software.”. 

The exploit code in the vulnerable PDF file: 



The shellcode then downloads a fake antivirus onto the user's computer: 



The security advisory from Adobe: 



We have proved that ACE is protecting against the samples we have seen so far.

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.