July Vulnerability of the Month: Two Zero-Days Caught in Development
An Adobe Reader double free vulnerability on Windows and macOS systems earns the nod for its interesting discovery and patch story.
Novelty, sophistication or just plain weirdness are some of the potential criteria we use to select the Tenable vulnerability of the month. We collect nominations from our 70+ research team members, shortlist the finalists and give the entire team the chance to vote -- combining the total experience and knowledge of Tenable Research to identify the vulnerability of the month.
Background
This month, Tenable Research highlights CVE-2018-4990, an Adobe Reader double free vulnerability on Windows and macOS systems. CVE-2018-4990 has an interesting discovery and patch story. It was discovered by ESET researchers in March 2018 because the developers uploaded their malicious PDF to their public repository. Because the sample didn’t contain the final payload, researchers concluded it was still in development. The researchers disclosed this vulnerability -- along with CVE-2018-8120, a privilege escalation bug in Microsoft Windows -- to the vendors. Security patches were issued in mid-May.
What makes this the vulnerability of the month?
It’s always interesting when the (potential) attackers tip their hands. Uploading malicious samples to a public repository while they’re still in development wasn’t the smartest move, assuming stealth was desired. Uploading the incomplete sample might have been a tactic to determine if any antivirus software would detect it. The samples “demonstrated a high level of skills in vulnerability discovery and exploit writing," according to ESET.
This is also an excellent example of how vulnerabilities can be chained to achieve remote code execution with highest privileges. Had the vulnerabilities not been discovered and patched before the exploits were fully developed, it’s likely they would have been widely used by attackers, particularly in exploit kits, with potentially disastrous consequences.
Vulnerability details
This vulnerability impacts Adobe Reader/DC 2018.011.20038 and earlier versions along with Adobe Acrobat Reader 2017/DC 2017.011.30079 and earlier versions.
An attacker who successfully exploits the vulnerability could achieve arbitrary code execution in the context of the current user. While the malicious PDF is available on VirusTotal, we are not aware of any reports of these vulnerabilities being exploited in the wild yet.
When the two vulnerabilities (CVE-2018-4990 and CVE-2018-8120) are combined, as they were in the upload to VirusTotal, an attacker could gain complete control of an affected system. We’ve released the following Nessus® plugins to assist our customers in finding and securing their exposure to CVE-2018-4990 as well as the other vulnerabilities patched in the update.
|
Plugin ID |
Description |
|
Adobe Acrobat 2015.006.30418 / 2017.011.30080 / 2018.011.20040 Multiple Vulnerabilities (APSB18-09) |
|
|
Adobe Reader 2015.006.30418 / 2017.011.30080 / 2018.011.20040 Multiple Vulnerabilities (APSB18-09) |
|
|
Adobe Acrobat 2015.006.30418 / 2017.011.30080 / 2018.011.20040 Multiple Vulnerabilities (APSB18-09) (macOS) |
|
|
Adobe Reader 2015.006.30418 / 2017.011.30080 / 2018.011.20040 Multiple Vulnerabilities (APSB18-09) (macOS) |
|
|
KB4103712: Windows 7 and Windows Server 2008 R2 May 2018 Security Update |
|
|
Security Updates for Windows Server 2008 (May 2018) |
Additional resources
Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.
Related Articles
Volt Typhoon: U.S. Critical Infrastructure Targeted by State-Sponsored Actors
November 19, 2024Volt Typhoon, a state-sponsored actor linked to the People’s Republic of China, has consistently targeted U.S. critical infrastructure with the intent to maintain persistent access. Tenable Research examines the tactics, techniques and procedures of this threat actor.
CVE-2024-0012, CVE-2024-9474: Zero-Day Vulnerabilities in Palo Alto PAN-OS Exploited In The Wild
November 18, 2024Palo Alto Networks confirmed two zero-day vulnerabilities were exploited as part of attacks in the wild against PAN-OS devices, with one being attributed to Operation Lunar Peek.
Microsoft’s November 2024 Patch Tuesday Addresses 87 CVEs (CVE-2024-43451, CVE-2024-49039)
November 12, 2024Microsoft addresses 87 CVEs and one advisory (ADV240001) in its November 2024 Patch Tuesday release, with four critical vulnerabilities and four zero-day vulnerabilities, including two that were exploited in the wild.
Walking the Walk: How Tenable Embraces Its "Secure by Design" Pledge to CISA
November 25, 2024As a cybersecurity leader, Tenable was proud to be one of the original signatories of CISA’s “Secure by Design" pledge” earlier this year. Our embrace of this pledge underscores our commitment to security-first principles and reaffirms our dedication to shipping robust, secure products that our users can trust. Read on to learn how we’re standing behind our pledge.
Cybersecurity Snapshot: Prompt Injection and Data Disclosure Top OWASP’s List of Cyber Risks for GenAI LLM Apps
November 22, 2024Don’t miss OWASP’s update to its “Top 10 Risks for LLMs” list. Plus, the ranking of the most harmful software weaknesses is out. Meanwhile, critical infrastructure orgs have a new framework for using AI securely. And get the latest on the BianLian ransomware gang and on the challenges of protecting water and transportation systems against cyberattacks.
Active Directory Under Attack: Five Eyes Guidance Targets Crucial Security Gaps
November 21, 2024A landmark global report from cybersecurity agencies emphasizes 17 attack techniques against Microsoft Active Directory and cautions organizations to step up protections. In the first of our two-part series, we offer five steps you can take today to shore up your AD defenses.
- Vulnerability Management