Microsoft finally admits fault for PDF attacks

Stan Beer
Saturday, 27 October 2007 04:52

Opinion and Analysis

There we were thinking that Adobe was at fault because its Acrobat reader had a vulnerability that exposed users to bad PDF files filled with malwares sent in spam when all along it was yet another vulnerability in Microsoft Windows. Microsoft has belatedly admitted that it's to blame and is working on a fix but for many it may be too late as spam with dodgy PDF files is hitting mailboxes by tens of thousands.

Researchers say the new exploit is particularly dangerous because PDF files, the attack vector, are not filtered at email gateways like .exe files

Microsoft security response team member Bill Sisk issued a warning via the Microsoft Response Centre Blog yesterday admitting that applying a security update from Adobe does not fix the vulnerability and Microsoft is working feverishly to patch the flaw.

"Third party applications are currently being used as the vector for attack and customers who have applied the security updates available from these vendors are currently protected.  However, because the vulnerability mentioned in this advisory is in the Microsoft Windows ShellExecute function, these third party updates do not resolve the vulnerability – they just close an attack vector," wrote Sisk.

"As part of our SSIRP process we currently have teams worldwide who are working around the clock to develop an update of appropriate quality for broad distribution. Because ShellExecute is a core part of Windows, our development and testing teams are taking extra care to minimize application compatibility issues."

According to Finnish security company, F-Secure , an unknown party has been sending out tens of thousands of mails with subject-lines like: Your credit report; Personal Financial Statement; Your Credit File; and Balance Report.

The mails contain no mail body, only an attachment called "report.pdf". When opened, the PDF file uses the CVE-2007-5020 vulnerability via Acrobat Reader and IE7 and downloads further malware from a server in Malaysia. The target of the malware seems to be to create a botnet of infected machines to be used for further malicious activity. F-Secure writes on its site.

"We're worried about this case, as PDF attachments are typically not filtered at email gateways", says F-Secure's Chief Research Officer Mikko Hypponen. "Executable files are now stripped almost everywhere, but PDF is stripped almost nowhere".

"Also, a security update for Acrobat Reader was just made available few days ago, so there are tons of users who haven't had a chance to update yet".


As always, advisors say the best way to protect yourself is not to open dodgy emails. Could another way possibly be to migrate from Windows to something else - say Linux?