McAfee has cited what it termed, "another zero-day attack targeting Adobe Acrobat Reader," that can infiltrate customer networks.
According to McAfee's blog, the currently unpatched exploit opens the door to code execution when a user simply reads a malicious PDF document.
The blog features screenshots of the viewable JavaScript code once the stream has been unpacked. McAfee notes, "Although the content of the compressed stream may look like random data, when unpacked the JavaScript code will fill a certain memory area with malicious x86 assembly code and cause the exploited Adobe software to execute the shell-code, commonly known as heap spray."
McAfee said this code is embedded as a malformed and escaped sequence of hex bytes.
"After loading it into a disassembler, we can see that the unescaped executable code is stage one of a two-stage attack. The intent of stage one is to identify the open file handle of the malicious PDF to find a particular signature (which is called an egg by exploit writers). This signature (0?A666F65 in this example) is immediately followed by stage two of the shellcode and is then branched into," notes the blog.
The blog also features a screenshot of the PDF's embedded egg, followed by x86 machine code, part of stage 2. McAfee notes, "The code contains another obfuscation layer, namely a routine that XOR decodes the remaining code and unveils an embedded executable."
For full information users can go to the blog here.
OK, so you want to stamp your document. Maybe you need to give reviewers some advice about the document's status or sensitivity. This tip from author Ted Padova demonstrates how to add stamps with the Stamp Tool along with related comments.
Generate more, higher-quality sales leads from your PDF marketing content. Docmetrics is a web-based system that lets you capture previously unavailable reader data. Free trial.
