• Total Posts: 28028
  • Total Topics: 8051
  • Online Today: 753
  • Online Ever: 51419
  • (01. January 2010., 09:27:49)

Author Topic: Prevalence of Exploited PDFs  (Read 1311 times)

0 Members and 1 Guest are viewing this topic.


  • SCF Administrator
  • *****
  • Posts: 7151
  • KARMA: 291
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • - Samker's Computer Forum
Prevalence of Exploited PDFs
« on: 07. October 2008., 07:16:52 »

While the threat landscape has changed dramatically over the past years, attackers are becoming increasingly aggressive in exploring ways to get into users’ system. A spammed email with an EXE attachment no longer penetrates the wider network or users, now that most home users and enterprise networks have a certain level of awareness on information security. But, how about spamming an exploited file like a PDF?

The incidents of exploited PDF files are not isolated. Instead, there has been a consistent prevalence and recurrence of this threat. So, what are the vulnerabilities being exploited? Most of the malicious PDF files we see exploit a known buffer overflow vulnerability in the "Collab.collectEmailInfo()" function which can be found in the Adobe PDF Reader JavaScript engine. This vulnerability was discovered in February of this year and was related to CVE-2007-5659 and CVE-2008-0655.

As shown in the screenshot below, the malicious stream data contains JavaScript that attempts to attack vulnerable versions and thereafter execute its embedded shellcode. Attackers often reuse the exact code and only change its payload.

Another vulnerability being constantly exploited is URI (Uniform Resource Identifier) handling, where attackers misuse “mailto” in order to execute commands. Here’s the screenshot of the malicious object inside the PDF file and the command executed behind these strings:

This vulnerability was discovered in September 2007 and was referred to CVE-2007-5020. The interesting part here is that these vulnerabilities only exist in Adobe Reader and Acrobat 8.1.1 and earlier, which means updating to a latest version will protect users’ systems. Unfortunately, this doesn’t stop the attackers in continuously serving this threat.

CA products detects the malicious PDF file as PDF/Pidief and PDF/CVE-2007-5020!exploit.


Samker's Computer Forum -

Prevalence of Exploited PDFs
« on: 07. October 2008., 07:16:52 »


With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters)

Enter your email address to receive daily email with ' - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising