Researchers Take Down Double Zero-Days Before They Could Have Been Exploited by Attackers
Security researchers at ESET and Microsoft have reported finding two zero-day exploits that were used in a single malicious PDF document. This document was exploiting two previously unknown vulnerabilities, including a remote-code execution vulnerability in Adobe Reader and a privilege escalation vulnerability in Microsoft Windows.
“The use of the combined vulnerabilities is extremely powerful, as it allows an attacker to execute arbitrary code with the highest possible privileges on the vulnerable target, and with only the most minimal of user interaction,” the researchers write. “APT groups regularly use such combinations to perform their attacks, such as in the Sednit campaign from last year.”
Microsoft and Adobe both have since released corresponding patches to these two security exploits. The Microsoft research team clarified that the bugs did not affect latest modern platforms like Windows 10.
This malicious PDF was found in VirusTotal, but Microsoft said that the company hasn’t “observed actual attacks perpetrated using these exploits.” Here’s the list of products that are affected:
- Acrobat DC (2018.011.20038 and earlier versions)
- Acrobat Reader DC (2018.011.20038 and earlier versions)
- Acrobat 2017 (011.30079 and earlier versions)
- Acrobat Reader DC 2017 (2017.011.30079 and earlier versions)
- Acrobat DC (Classic 2015) (2015.006.30417 and earlier versions)
- Acrobat Reader DC (Classic 2015) (2015.006.30417 and earlier versions)
- Windows 7 for 32-bit Systems Service Pack 1
- Windows 7 for x64-based Systems Service Pack 1
- Windows Server 2008 for 32-bit Systems Service Pack 2
- Windows Server 2008 for Itanium-Based Systems Service Pack 2
- Windows Server 2008 for x64-based Systems Service Pack 2
- Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
- Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows and Adobe zero-days discovered and patched before attackers had time to deliver them
In a rare timely collaboration, security researchers were actually able to patch these bugs up before they could be exploited by attackers. “Finding and neutralizing a double zero-day exploit before an attacker had a chance to use it was an amazing result of the great collaboration between ESET, Microsoft, and Adobe security researchers,” Microsoft wrote.
Patches are now available for both Adobe and Microsoft users: