Site Network: | | Jongsma & Jongsma

Innovation in Information Security

Coverage of important Information Security and Information Technology news and events from the research team at Sûnnet Beskerming.

Username: | Password: Contact us to request an account

An Interesting Result for JBIG2 PDF Vulnerability

While tinkering around with the recent JBIG2Decode PDF vulnerability that is not expected to be patched by Adobe until mid March, Didier Stevens realised that it was possible to trigger the vulnerability (and thus the exploit) without actually requiring the victim to open a manipulated PDF document.

As Didier worked through the various means by which to encode and otherwise hide the exploit data inside a PDF, he was finding that many of the antivirus versions on VirusTotal weren't really detecting his samples. This doesn't bode well for the targets of newer attacks that make use of this particular vulnerability, which are more likely to make use of the many and varied means by which to hide malicious data inside a valid PDF file.

Didier's key discovery came when he found that by embedding the vulnerability data inside the file metadata he could trigger the exploit through Windows Explorer just by having the file present and the mouse cursor hovered over the file for long enough to display a tooltip with various file properties and metadata. How Windows extracts this information is via Windows Explorer Shell Extensions, which in the case of a PDF with malicious metadata is the Column Handler Shell Extension, installed alongside Adobe Reader. This extension reaches into the file metadata to extract some extra contextual information to display when the file is hovered over with the mouse in Windows Explorer. In the process of doing this, it is enough to silently trigger the vulnerability.

In addition to this new exploitation route, Didier goes on to demonstrate two other means by which it is possible to activate the exploit without explicitly opening a compromised file. These methods are single clicking on the file, and viewing in thumbnail view. Since both methods require the system to process the file as part of this action, it allows the exploit to be triggered.

5 March 2009

Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis

Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.

Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.

Comments will soon be available for registered users.