Zero-day vulnerability in Adobe Reader

Memory corruption
​CVE-2011-2462

This 0-day vulnerability was discovered by Lockheed Martin’s Computer Incident Response Team and was found that it is part of a targeted attack. The sample of the exploit analyzed by the researchers appears to come from Barclay’s bank in New York City.

Known malware:

Trojan Sykipot.

Vulnerability details

Advisory: SB2011120601 - Remote code execution in Adobe Acrobat and Adobe Reader

Vulnerable component: Adobe Reader

CVE-ID: ​CVE-2011-2462

CVSSv3 score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Description:

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when handling Universal 3D (U3D) data. A remote attacker can create a specially crafted .pdf file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the system with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.

Known APT campaigns:

Sykipot campaigns

Sykipot attacks trace back to 2006.

The attackers were sending emails with specially crafted links or content containing JS.Sykipot and Backdoor.Sykipot. Trojans to obtain intellectual property (design, financial, manufacturing, or strategic planning information).

According to Symantec, the Sykipot group has Chinese roots.

Public Exploits: