Blunder burns unicorn attack that exploited Windows and Reader

Enlarge (credit: Lisa Cooper / Flickr)

It’s not every day someone develops a malware attack that, with one click, exploits separate zero-day vulnerabilities in two widely different pieces of software. It’s even rarer that a careless mistake burns such a unicorn before it can be used. Researchers say that’s precisely happened to malicious PDF document designed to target unpatched vulnerabilities in both Adobe Reader and older versions of Microsoft Windows.

Modern applications typically contain “sandboxes” and other defenses that make it much harder for exploits to successfully execute malicious code on computers. When these protections work as intended, attacks that exploit buffer overflows and other common software vulnerabilities result in a simple application crash rather than a potentially catastrophic security event. The defenses require attackers to chain together two or more exploits: one executes malicious code, and a separate exploit allows the code to break out of the sandbox.

A security researcher from antivirus provider Eset recently found a PDF document that bypassed these protections when Reader ran on older Windows versions. It exploited a then-unpatched memory corruption vulnerability, known as a double free, in Reader that made it possible to gain a limited ability to read and write to memory. But to install programs, the PDF still needed a way to bypass the sandbox so that the code could run in more sensitive parts of the OS.