Microsoft Uncovers Critical Zero-Day Vulnerabilities Targeting Adobe and Windows Kernel
Recent disclosures from Microsoft security researchers have revealed two significant zero-day vulnerabilities that were identified after a malicious PDF file surfaced on VirusTotal. These vulnerabilities were promptly patched before they could be exploited in real-world scenarios.
In late March, ESET researchers detected a malicious PDF uploaded to VirusTotal, which they flagged to Microsoft as a potential exploit linked to an unknown vulnerability within the Windows kernel. Following an in-depth analysis, Microsoft’s security team confirmed that the file contained two separate zero-day exploits: one affecting Adobe Acrobat and Reader, and the other targeting the Microsoft Windows operating system.
Microsoft publicly disclosed these vulnerabilities following the release of necessary security patches in May, allowing users sufficient time to update their systems. Researchers noted that the malicious PDF was in an early developmental phase, as it did not deploy any harmful payload but rather appeared to serve as proof-of-concept (PoC) code.
A striking aspect of this discovery is that the individual who uploaded this under-development exploit potentially compromised their operation by making it publicly accessible. The vulnerabilities in question include a remote code execution flaw in Adobe Acrobat and Reader (CVE-2018-4990) and a privilege escalation bug in Microsoft Windows (CVE-2018-8120).
The Adobe exploit leverages the software’s JavaScript engine to execute shellcode, as explained by Matt Oh, a Security Engineer at Windows Defender ATP Research. The second exploit allows the shellcode to bypass the Adobe Reader sandbox, granting elevated privileges within Windows kernel memory. This dual exploit could create a formidable cyber weapon if successfully combined by an attacker.
The PDF exploit significantly relies on a malicious JPEG 2000 image containing JavaScript code that triggers a double-free vulnerability, paving the way for shellcode execution. Following the initial exploit, attackers could utilize the Windows kernel vulnerability to escape the Adobe Reader sandbox and achieve elevated permissions.
At the time of detection, the malicious PDF only produced a simple PoC payload that left an empty VBS file within the Startup directory. ESET researchers indicated that the sample’s lack of a final payload suggested it was still undergoing development, yet demonstrated sophisticated understanding of vulnerability discovery and exploit crafting.
Adobe and Microsoft have since released security updates addressing both vulnerabilities. For in-depth technical details about these exploits, interested parties can refer to the official blogs from Microsoft and ESET.
In summary, these incidents highlighted vulnerabilities that could have been exploited to gain significant unauthorized access, with potential techniques aligning with MITRE ATT&CK tactics including initial access via the malicious PDF, privilege escalation through the Windows kernel exploit, and persistence through payload delivery. Such incidents underscore the necessity for vigilant cybersecurity practices among businesses to protect against emerging threats.