Adobe Systems has released new security patches for critical vulnerabilities in its Acrobat and Reader products, including one zero-day vulnerability found in the wild.
The updates fix 47 vulnerabilities, 24 of which are rated critical and can lead to remote code execution. The rest are rated important and can lead to information disclosure.
One vulnerability tracked as CVE-2018-4990 is particularly important because it was discovered in March by researchers from antivirus vendor ESET in a malicious PDF sample uploaded to a public repository.
Adobe Reader is a sandboxed application, so a memory corruption flaw on the order of CVE-2018-4990 is not sufficient to execute arbitrary code on the system. Attackers additionally need something to escape the sandbox, and in this case, they used a second zero-day vulnerability in Windows.
That privilege escalation flaw, known as CVE-2018-8120, was located in the Windows Win32k component and was patched by Microsoft last week.
Fully working exploit chains for Adobe Reader are not common and are very valuable to hackers because they provide an easy way into computers. Exploit broker Zerodium pays up to $80,000 for Adobe Reader exploit chains that lead to remote code execution.
PDF is a popular document format that’s widely used inside companies, so emails with PDF attachments are not generally viewed as suspicious by users.
It’s not clear what the goal of the attack was in this case, because the malicious PDF sample did not have any final payload attached to it. And since it wasn’t found in an active attack campaign, it’s not clear what the weaponized document was meant to deliver.
“Even though the sample does not contain a real malicious final payload, which may suggest that it was caught during its early development stages, the author(s) demonstrated a high level of skills in vulnerability discovery and exploit writing,” the ESET researchers said in a blog post.
2018 Likely Will Be Another Record-Breaking Year for Vulnerabilities
A number of 5,375 vulnerabilities were reported during the first three months of 2o18, according to a newly released report from vulnerability intelligence firm Risk Based Security. This represents only a small growth compared to the same period of last year, but that quarter already saw a record-breaking number of vulnerabilities—almost 28 percent more than Q1 2016.
Almost 1 in 5 vulnerabilities reported during the first quarter of 2018 were rated critical, with CVSS scores over 9.0, according to the report. Almost half of them can be exploited remotely and a third have public exploits.
About 20 percent of the vulnerability disclosures were not coordinated with the affected vendors or through bug bounty programs and 1 in 4 flaws have no publicly documented solution.
“This underlines that while patching is very important, it cannot be solely relied on,” the Risk Based Security researchers said in their report. “A modern vulnerability management approach needs to be more than just patch management, it needs to make use of detailed vulnerability intelligence to understand and prioritize mitigation actions to address the ever-changing threats.”
Another problem is the increasing gap between the National Vulnerability Database (NVD), which relies solely on the Common Vulnerabilities and Exposures (CVE) catalog, and other vulnerabilities databases.
Of the 5,375 vulnerabilities tracked by Risk Based Security during the first quarter, CVE/NVD had information on only 3,585. This gap in coverage continues to increase every quarter, which means companies that rely solely on CVE/NVD to track vulnerabilities in their organizations have a considerable blind spot.