Zero-day vulnerability in Adobe Reader

Memory corruption
​CVE-2011-2462

This 0-day vulnerability was discovered by Lockheed Martin’s Computer Incident Response Team and was found that it is part of a targeted attack. The sample of the exploit analyzed by the researchers appears to come from Barclay’s bank in New York City.

Known malware:

Trojan Sykipot.

Vulnerability details

Advisory: SB2011120601 - Remote code execution in Adobe Acrobat and Adobe Reader

Vulnerable component: Adobe Reader

CVE-ID: ​CVE-2011-2462

CVSSv3 score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C

CWE-ID: CWE-119 - Memory corruption

Description:

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when handling Universal 3D (U3D) data. A remote attacker can create a specially crafted .pdf file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the system with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.

Known APT campaigns:

Sykipot campaigns

Sykipot attacks trace back to 2006.

The attackers were sending emails with specially crafted links or content containing JS.Sykipot and Backdoor.Sykipot. Trojans to obtain intellectual property (design, financial, manufacturing, or strategic planning information).

According to Symantec, the Sykipot group has Chinese roots.

Public Exploits:

- Adobe Reader - U3D Memory Corruption (Metasploit) [Exploit-DB]

External links:

http://www.adobe.com/support/security/advisories/apsa11-04.html 
https://www.adobe.com/support/security/bulletins/apsb11-30.html 
http://contagiodump.blogspot.com/2011/12/adobe-zero-day-cve-2011-2462.html
https://securingtomorrow.mcafee.com/mcafee-labs/inside-adobe-reader-zero-day-exploit-cve-2011-2462/
https://eternal-todo.com/blog/cve-2011-2462-exploit-analysis-peepdf
http://www.trendmicro.com/vinfo/us/threat-encyclopedia/vulnerability/2366/vulnerability-in-u3d-compo...
http://blog.9bplus.com/analyzing-cve-2011-2462/
https://blogs.forcepoint.com/security-labs/adobe-reader-and-acrobat-vulnerability-cve-2011-2462
https://www.totaldefense.com/security-blog/new-zero-day-attack-in-adobe-products-cve-2011-2462
http://www.threatgeek.com/2011/12/adobe-reader-0-day-notes-cve-2011-2462.html
https://vulners.com/metasploit/MSF:EXPLOIT/WINDOWS/FILEFORMAT/ADOBE_READER_U3D
https://www.fireeye.com/blog/threat-research/2013/02/threat-actors-mandiant-apt1-report-spear-phishi...
https://nakedsecurity.sophos.com/2011/12/10/targeted-emails-exploit-new-acrobat-reader-vulnerability...
https://www.totaldefense.com/security-blog/new-zero-day-attack-in-adobe-products-cve-2011-2462
https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=398
http://securityresponse.symantec.com/threatreport/topic.jsp?id=vulnerability_trends&aid=notable_zero...
http://www.securityweek.com/adobe-warns-critical-zero-day-vulnerability-reader-and-acrobat-products

About zero-day vulnerabilities

Zero-day vulnerability is an undisclosed vulnerability in software that hackers can exploit to compromise computer programs, gain unauthorized access to sensitive data, penetrate networks, etc. We consider vulnerability a zero-day when there is no solution provided from software vendor and the vulnerability is being actively exploited by malicious actors.

Zero-day candidate is a potential zero-day vulnerability in software which might have been used in targeted attacks, however there is no evidence to support this suggestion.