Adobe Reader and Acrobat Get Patches for Two Critical Flaws
Adobe Systems released new security patches for Adobe Reader and Acrobat to fix two critical vulnerabilities that could allow hackers to execute malicious code on computers.
Both flaws were reported privately by external researchers through Trend Micro’s Zero Day Initiative (ZDI) vulnerability acquisition program. Adobe is not aware of any exploits for these issues being available in the wild.
One vulnerability, tracked as CVE-2018-16011, is a use-after-free memory corruption bug that can lead to arbitrary code execution in the context of the current user. The other, CVE-2018-16018, is a security bypass issue that can be used for privilege escalation.
This means that the two flaws can potentially be combined in an exploit chain to take full control over a system if the sandbox mechanism in Adobe Reader and Acrobat is successfully bypassed.
Adobe advises users to upgrade to Acrobat DC and Acrobat Reader DC version 2019.010.20069 if they are on the Continuous track; to Acrobat 2017 and Reader DC 2017 version 2017.011.30113 if they are on the Classic 2017 track; and to Acrobat DC and Reader DC version 2015.006.30464 if they are on the Classic 2015 track.
Adobe Reader used to be a favorite target for attackers, along with Java and other widely used software programs that could be accessed through browser plug-ins. In recent years, the application has become much more difficult to exploit, thanks to extensive code clean-ups and the addition of defense mechanisms such as sandboxing.
However, zero-day Adobe Reader exploits are still occasionally found in real-world attacks where they’re primarily used by cyberespionage groups to compromise high-value targets. Some public exploit brokers pay up to $80,000 for Adobe Reader exploit chains that lead to remote code execution with a sandbox bypass.
Phishing Apps Found on Google Play
Several applications on Google Play with hundreds of thousands of downloads were found stealing sensitive information and credentials from users.
Researchers from antivirus vendor Trend Micro have dubbed the spyware MobSTSPY and found it masquerading as games and utility apps, including Flappy Birr Dog, FlashLight, HZPermis Pro Arabe, Win7imulator, Win7Launcher and Flappy Bird.
Many of these applications have been removed from Google Play last year, but their presence in the app store in the first place shows that attackers still find ways to bypass Google Play’s anti-malware defenses.
MobSTSPY uses the Firebase Cloud Messaging to communicate with a command-and-control server. Once a newly infected device is registered with the server, attackers can instruct the malware to steal text messages, contact lists, call logs, files and more. The malware even has phishing capabilities and can display fake Facebook and Google log-in pop-ups to steal users’ credentials.
Trend Micro has detected infections with MobSTSPY on devices from 196 countries, showing the wide reach malware can have when distributed through Google Play. The top three countries by number of infected devices according to Trend Micro’s telemetry data were India, Russia and Pakistan, but the United States was also in the top 10.
The most common security advice given to Android users is to only install applications from Google Play. While that is a valid recommendation, users should also be aware that there have been many incidents of malicious apps being found in the official app store. Unfortunately, such malware is difficult to spot without an antivirus program because it’s usually embedded in functional applications.
“This case demonstrates that despite the prevalence and usefulness of apps, users must remain cautious when downloading them to their devices,” the Trend Micro researchers said in a blog post. “The popularity of apps serves as an incentive for cybercriminals to continue developing campaigns that utilize them to steal information or perform other kinds of attacks.”
