A critical zero-day security vulnerability has been uncovered in Adobe Reader, which hackers have been actively exploiting since last December. Security researcher Haifei Li noted that by using specially crafted PDF files, attackers can trigger the flaw and execute malicious code without requiring the user to perform any additional actions.
Haifei Li, founder of the sandbox vulnerability detection platform EXPMON, issued a warning on Tuesday stating that the attackers are employing a "highly sophisticated, fingerprint-based" PDF exploitation technique. The vulnerability affects the latest versions of Adobe Reader and can not only be used to steal local system information but also potentially facilitate remote code execution (RCE) or sandbox escape (SBX) attacks, granting the attacker full control over the victim's computer.
Targeted Attacks on the Energy Sector
Threat intelligence analyst Gi7w0rm conducted an in-depth analysis of these attacks. The investigation revealed that the malicious PDF documents utilized Russian-language phishing lures, focusing on recent developments in Russia's oil and gas industry. This discovery suggests that the attackers may be targeting specific sectors.
Haifei Li emphasized that the security risk is extremely high, as attackers can exfiltrate data through Acrobat API interfaces such as `util.readFileIntoStream` and `RSS.addFeed`. He has notified Adobe of his findings, but until an official patch is released, users are advised to avoid opening any PDF files from untrusted sources.
To mitigate the impact, network defenders can monitor and block HTTP/HTTPS traffic where the User-Agent header contains the string "Adobe Synchronizer." Given the widespread danger posed by this vulnerability and the fact that it is already being actively exploited, Li stated that he decided to disclose his research findings immediately to alert global users to remain highly vigilant.
As of now, Adobe has not responded to these findings. The persistence of this vulnerability underscores the weaknesses in the security mechanisms of document processing software and reflects the ongoing escalation of sophisticated, targeted cyberattacks.