HP ZDI Finds 100 Vulnerabilities in Adobe Reader

Adobe has been in the security news a lot lately for vulnerabilities in its Flash software, but that’s not the only area where security is a concern. Brian Corenc, manager of vulnerability research at HP’s Zero Day Initiative, said issues in Adobe’s Reader PDF software also can expose users to risk.

ZDI found approximately 40 vulnerabilities related to JavaScript APIs that are available to authors for use in Adobe Reader for PDF documents, said Gorenc, speaking at the DEF CON security conference in Las Vegas on August 9. The 40 vulnerabilities are only the tip of the iceberg, though, as HP ZDI has found and reported approximately 100 vulnerabilities so far this year to Adobe about the Reader product.

APIs a ‘Rich Attack Surface’

“The APIs offer a lot of rich functionality including the ability to process forms, handle multimedia and communicate with databases,” Gorenc said. “They also offer a rich attack surface to people that are looking for bugs in software.”

HP’s researchers were able to exploit Adobe Reader through a multi-step process. First they were able to obtain an arbitrary eval() string property over loading, then chain it with a privilege escalation attack using trusted code blocks in Adobe Reader. Finally, Gorenc and his team leveraged some undocumented APIs to execute malicious code against a target.

“There was a set of undocumented APIs that we were able to reverse engineer,” Gorenc said. “That allowed us a multi-platform attack against Windows and Mac OS X.”

HP has coordinated with Adobe on the disclosure and many of the vulnerabilities have been patched, Gorenc emphasized. The issues he discussed at DEF CON were patched in the last two Adobe Reader updates identified as APSB-15-15 and APSB15-16.

Even with Adobe’s patching, though, Gorenc said a significant attack surface remains for researchers to examine and potentially find other issues.

While Adobe Reader has multiple levels of protection including a sandbox, Gorenc said that getting around the sandbox to execute code is do-able.

The ZDI program at HP buys vulnerabilities from researchers, though Gorenc noted that at this point HP is doing a lot of research on its own into Adobe security. So far in 2015, HP has made approximately 100 security vulnerability disclosures to Adobe just for Reader.

“Adobe has fixed a lot of our vulnerabilities in the last two set of patches, but if you look at the HP ZDI upcoming advisories page you’ll see a lot of discoveries from my team for Adobe Reader,” Gorenc said. “The vulnerabilities include use-after-free memory corruption, sandbox escapes and all sorts of other vulnerability types.”

Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner
Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.

Top Products

Top Cybersecurity Companies

Related articles