Exploitation of software vulnerabilities continues to be a common way to infect computers with malware. Leveraging exploits allows malware authors to infect, disrupt, or take control of a computer without the user’s consent and typically without their knowledge. Exploits target vulnerabilities in operating systems, web browsers, applications, or software components that are installed on the computer.
Figure 1 below shows the prevalence of exploits targetting document readers and editors detected by Microsoft antimalware products each quarter from 3Q11 to 4Q12, by number of unique computers affected.
Figure 1: Document readers and editors exploit prevalence detected by Microsoft antimalware products
It was interesting to see that exploits that target vulnerabilities in document readers and editors rose sharply in 4Q12. This was primarily due to increased exploitation of vulnerabilities in Adobe Reader and Adobe Acrobat software, as shown in Figure 2.
Figure 2: Computers affected with exploits for document readers and editors
The following are some of the vulnerabilities whose exploits are detected as Win32/Pdfjsc:
Out of all the vulnerabilities covered by this family, the most detections in 4Q12 were for exploits against the vulnerability discussed in CVE-2010-0188. This was primarily because exploits for CVE-2010-0188 are used by a number of exploit kits, including Blacole.
The exploits commonly use any of these file names:
- 5661f.pdf 7927
- 9fbe0.pdf 7065
The file names change very often so please exercise caution with email and attachments received from unknown sources, or received unexpectedly from known sources. Use extreme caution when accepting file transfers from known or unknown sources.
CVE-2010-0188 was fixed by Adobe in a security update released on February 16, 2010 (Adobe Security Bulletin APSB10-07). The following versions are vulnerable:
- Adobe Reader 9.3 and earlier versions for Windows, Macintosh, and UNIX
- Adobe Acrobat 9.3 and earlier versions for Windows and Macintosh
This vulnerability is still being exploited widely even though a fix has been available for over 2 years. It is important to install updates for all the software that is installed in your computer. These are usually available from vendor websites. Instructions on how to download the latest versions of some common software is available from this article:
Here are some URL patterns for websites that serve these exploits:
Exercise caution when you see such patterns in the links to webpages especially if you receive them from unknown sources or if the links are to a webpage that you are not familiar with, unsure of the destination of, or suspicious of.