New tool to find vulnerabilities in the way applications like Microsoft Word and Adobe Acrobat process JavaScript: Cooperative mutation attack

A group of researchers developed a tool capable of detecting errors in the way applications such as Adobe Acrobat or Microsoft Word process JavaScript code, which has allowed finding a total of 134 security flaws, of which 33 have already received a CVE tracking key.

The tool is called “Cooper”, in reference to the technique known as “Cooperative Mutation” it employees. Xu Peng, a software development specialist and co-author of the tool, explains that tools like the ones mentioned accept information from scripting languages; for example, Acrobat allows JavaScript to manipulate PDF files.

This requires the PDF to define native PDF objects and parse the JavaScript code. Native objects are processed by Acrobat modules and a built-in JavaScript engine handles the scripts, while a “binding layer” does the translation.

Xu and his collaborators claim that binding code can be vulnerable to inconsistent semantics and various security gaps, which could lead to severe vulnerabilities. Using Cooper, the researchers were able to identify CVE-2021-21035 and CVE-2021-21028, two severe vulnerabilities in Adobe Acrobat.

Cooper’s developers were able to find these errors because the cooperative mutation technique simultaneously modifies the script code and the related document objects to explore various binding code paths. This is an innovative approach and contrasts with other security techniques based on finding flaws in scripts.

Cooper has three main components:

  • Object clustering: To begin, Cooper analyzes the given sample documents to extract native objects. to reduce the object search space the tool classifies objects according to their attributes
  • Relationship inference: Subsequently, the tool produces a large number of documents by combining different object classes and API groups, recording the execution results of the built-in scripts. based on the success rate of script execution and the distribution of object classes cooper infers the relationships between api groups and object classes
  • Relationship-guided mutation: Finally, Cooper leverages the inferred relationship to guide object selection, script generation, and object mutation

Cooper can be described as a fuzzing tool, capable of inferring relationships to guide the process of finding conditions under which scripts and applications engage in unwanted behavior.

The tool is available on the official platforms of the developers.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.