In an unusual case someone managed to develop a malware attack that, with one click, exploits separate zero-day vulnerabilities in two different pieces of software. Even more exceptional is that an error burns a unicorn before it can be used. According to information security experts, this is precisely what happened with a malicious PDF document designed to attack unpatched vulnerabilities in both Adobe Reader and earlier versions of Microsoft Windows.
Today, applications often contain “sandboxes”, in addition to other defenses to make it harder for exploits to run malicious code on devices. When the protections work as intended, the buffer overflow attacks and other common software vulnerabilities result in a crash of the application and not a catastrophic security event. Defenses require attackers to link two or more exploits: one executes malicious code and another exploit allows the code to exit the “sandbox”.
An Eset analyst found a PDF document that ignored the protections when Reader ran on earlier versions of Windows. It exploited a vulnerability of memory corruption, called “double free”, in Reader that allows obtaining a limited capacity to read and write in memory. But when installing programs, the PDF needed a way to bypass the “sandbox” so that the code would run in sensitive parts of the operating system.
According to information security experts, the solution was to combine a separate attack that exploited unknown privilege escalation vulnerability in Microsoft operating systems prior to Windows 8. These privilege escalation vulnerabilities could allow users with limited system rights to obtain unrestricted access to the sensitive resources of an operating system. With a click on the PDF, the malware was installed on Windows 7 and Server 2008 computers.
“It’s pretty weird to have an exploit on a piece of software that combines with a zero day for the operating system in order to escape sandboxing protection,” said Jérôme Segura, information security researcher at Malwarebytes.
Early last year, the professionals unpacked an exploit in nature that exploited two different components when a malicious Microsoft Word file targeted Emmanuel Macron’s staff. Eset commented that the DOCX file exploited remote code execution vulnerability in Word and a local privilege escalation failure in Windows. The document was used to install surveillance malware used by Fancy Bear.
This time the PDF was found in VirusTotal. The body of the document only said “PDF sample”. Malwarebytes and Eset loaded the file to test if several antivirus vendors could detect it.
Information security experts commented that instead of installing malware, the file downloaded and installed a calculation program. Before the attackers could use the PDF, Eset reported the vulnerabilities to Microsoft and Adobe.