Adobe PDF Zero-Day Flaw Enables Location Tracking


McAfee has detected ongoing attacks targeting an Adobe Reader zero-day vulnerability that could enable attackers to conduct location tracking of a malicious file.

The firm said it detected malicious PDF files that can enable a sender to see when and where a file is opened, wrote Haifei Li, a McAfee threat researcher. While the flaw is not serious -- it doesn't enable remote code execution -- it can be used as part of a targeted attack campaign, Li wrote.

"We don't want to overvalue the issue. However, we do consider this issue a security vulnerability," Li wrote. "Our investigation shows that the samples were made and delivered by an 'email tracking service' provider. We don't know whether the issue has been abused for illegal or APT attacks."

[Related: Top 10 Malware Threats To Microsoft PCs]

Adobe has not yet confirmed the vulnerability, according to McAfee. A targeted attack often collects data from the victim, and exploiting the flaw opens the possibility of stealing sensitive data on individual behaviors and use patterns, Li said.

"Malicious senders could exploit this vulnerability to collect sensitive information such as IP address, Internet service provider, or even the victim's computing routine," Li wrote. "In addition, our analysis suggests that more information could be collected by calling various PDF JavaScript APIs."

Additional coding could enable an attacker to obtain the location of the file on the system. As a workaround until Adobe makes a fix available, Reader users could disable JavaScript in Reader.

Li said the vulnerability is an example of how traditional security technologies that monitor for memory corruption and code execution will fail to miss the malicious nature of the PDF files. McAfee used its behavioral analysis capabilities to detect and flag the unusual behavior of the files, Li said.

The last exploits targeting an Adobe zero-day vulnerability emerged in March and was detected in targeted attacks against activists in Uyghur in Central Asia and activists in Tibet.

Security firms Kaspersky Lab and FireEye reported about ItaDuke because it resembled the Duqu Trojan, data stealing malware used in a campaign believed to be driven by China against manufacturers.

PUBLISHED APRIL 29, 2013