A micropatch is now available for a zero-day vulnerability in Adobe Reader which would allow maliciously crafted PDF documents to call home and send over the victim’s NTLM hash to remote attackers in the form of an SMB request.
The vulnerability was first disclosed by security researcher Alex Inführ on his blog, where a full analysis of the security issue and a proof-of-concept were published before Adobe managed to push out a security fix for the issue.
Applying the micropatch delivered through the 0patch platform will not require a system restart or relaunching a program, with the effect being immediate because it is an in-memory fix for running processes.
According to Mitja Kolsek, CEO of ACROS Security, the company behind 0patch:
This vulnerability, similar to CVE-2018-4993, the so-called Bad-PDF reported by CheckPoint in April last year, allows a remote attacker to steal user’s NTLM hash included in the SMB request. It also allows a document to “phone home”, i.e., to let the sender know that the user has viewed the document. Obviously, neither of these is desirable.
The zero-day, which doesn’t yet have a CVE tracker id, was tested against the latest version of Adobe Acrobat Reader DC 19.010.20069, but it most likely also impacts all other versions up to this one.
To be more exact, the vulnerability is triggered by a malicious PDF which includes an element designed to set off the automatic loading of a remote XML style sheet via SMB.
While a warning is displayed to alert the user that something is wrong if the action happens over HTTP, the PoC will do its job silently in the background “when using a UNC path (the type of path that denotes a resource in a shared folder).”
After the micropatch for the Adobe Reader zero-day was ready, 0patch sent it over to Alex Inführ for testing and he was able to confirm that, once applied, Adobe’s app is no longer vulnerable.
The micropatch developed by 0patch can be downloaded and applied after creating an account on 0patch.com, downloading the 0patch Agent and registering the agent on the device.
0patch also provides a video demo of their micropatch in action: