A high risk exploit: Kellman Meghu, chief technology officer at Canadian incident response firm DeepCove Security, called the exploit “a very high risk.”So far it looks as though this particular malware just exfiltrates data, he said. But it implies there is an ability or capability to turn it into a vehicle for remote code execution. “It is a zero click [vulnerability],” Meghu added, “meaning just viewing in a browser or email is likely enough to trigger it.”CSOs should meet this threat by disabling Acrobat JavaScript, either by default or until there is a patch, he said. “But to be honest,” he added, “I think JavaScript execution is generally a bad idea in Adobe Reader,” so it should be disabled.Johannes Ullrich, dean of research at the SANS Institute, noted Adobe Acrobat and Reader have often been the targets of sophisticated exploits. These frequently take advantage of features like JavaScript, or leverage the ability to include, or nest, various document types inside a PDF. Many malware filters will detect and flag these types of documents as malicious, he said.”CSOs should ensure that web proxies and email gateways have filters enabled to not allow PDFs that are not fully standards compliant, and to eliminate PDFs taking advance of known problematic features like JavaScript,” he said. “Any attachment like this should also prominently note that it was received from a source outside the organization.””Sadly,” he added, “PDFs are still very common, and can not be completely eliminated.”Adam Marrè, CISO at Arctic Wolf, said that what makes this new vulnerability particularly concerning is that it’s being actively exploited and appears to work even on fully patched systems. That immediately raises the risk profile. “Even without full visibility into the entire attack chain, the fact that initial access can be gained through something as routine as opening a PDF means organizations should treat this as a real and present security event,” he said. “From there, the potential impact can range from limited data exposure to follow”‘on activity if attackers are able to deliver additional payloads.”This becomes a matter of managing risk in real time, he pointed out. “When a trusted tool suddenly falls outside an organization’s acceptable risk threshold, the priority shifts to reducing exposure and increasing visibility. That may mean reassessing where the software is truly necessary, tightening how untrusted content is handled, and ensuring monitoring is in place to quickly detect any abnormal behavior,” he said.”Just as important is what happens after containment,” he added. “Incidents like this are an opportunity to evaluate what controls held up, where gaps surfaced, and how to operationalize those lessons. Threats tied to everyday user behavior aren’t going away, so resilience depends on learning quickly and adapting just as fast.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4156854/hackers-have-been-exploiting-an-unpatched-adobe-reader-vulnerability-for-months.html
