McAfee cites potential PDF Zero Day flaw

McAfee has cited what it termed, ‘another zero-day attack targeting Adobe Acrobat Reader,’ that can infiltrate customer networks.

According to McAfee’s blog, the currently unpatched exploit opens the door to code execution when a user simply reads a malicious PDF document.

The blog features screenshots of the viewable JavaScript code once the stream has been unpacked. McAfee notes, ‘Although the content of the compressed stream may look like random data, when unpacked the JavaScript code will fill a certain memory area with malicious x86 assembly code and cause the exploited Adobe software to execute the shell-code, commonly known as heap spray.’

McAfee said this code is embedded as a malformed and escaped sequence of hex bytes.

‘After loading it into a disassembler, we can see that the unescaped executable code is stage one of a two-stage attack. The intent of stage one is to identify the open file handle of the malicious PDF to find a particular signature (which is called an egg by exploit writers). This signature (0×0A666F65 in this example) is immediately followed by stage two of the shellcode and is then branched into,’ notes the blog.

The blog also features a screenshot of the PDF’s embedded egg, followed by x86 machine code, part of stage 2. McAfee notes, ‘The code contains another obfuscation layer, namely a routine that XOR decodes the remaining code and unveils an embedded executable.’

For full information users can go to the blog here.

You May Also Like

About the Author: Nettie Hartsock

Leave a Reply