In a previous blog, Symantec reported on a new Adobe zero-day vulnerability (CVE-2013-0640, CVE-2013-0641) affecting Adobe Reader and Acrobat XI (11.0.1) and earlier versions, that was being actively exploited in the wild. Adobe has yet to release a patch for this zero-day, but in an advisory they have provided a means of mitigation against the attack.
The initial report on this zero-day being actively used in the wild came from FireEye. They reported that several files were being dropped and downloaded as a result of a successful exploit. Our research can confirm these findings.
Figure 1. Attack using CVE-2013-0640
The steps in the attack, shown in Figure 1, are as follows:
Symantec has antivirus detections in place for the stages of this attack as Trojan.Pidief and Trojan.Swaylib (initially detected as Trojan Horse). The intrusion prevention signature (IPS) Web Attack: Malicious PDF File Download 5 has also been released to detect usage of this specific Adobe exploit in further attacks.
Additional research has shown that the PDF used in this attack would have been caught by our Symantec Mail Security for Microsoft Exchange product and the dropped files used in this attack would have been detected as WS.Malware.2 by Symantec’s cloud based detection technology.
Symantec is currently investigating further protections for this zero-day and will provide an update to this blog when possible. To protect against potential zero-day threats, Symantec recommends that you use the latest STAR Malware Protection Technologies to ensure the best possible protection is in place.