Isn’t it nice (and mildly annoying) how Windows notifies you about and installs updates/patches on its own? Sure, the loss of productivity while the dreaded updater gets to work can be irritating, but not having to manually apply updates yourself is a worthy trade-off. But what about all the other non-Microsoft software you use on a daily basis? Internet browsers, Java, Adobe programs…the list goes on.
It may be a surprise to learn that 75% of vulnerabilities on a PC are due to flaws in 3rd party software. This doesn’t mean that non-Microsoft software is inherently unsafe; it’s just that the sheer number of different vendors and distributors make it difficult to properly track and apply new patches for other commonly used programs. Unlike the many Microsoft programs all managed by one entity, there is no single dashboard for everything else, and this can lead to some very dangerous security holes.
Case-in-point: On February 12, Adobe released a patch resolving approximately 71 vulnerabilities across multiple products, including Acrobat, Reader, Flash Player, ColdFusion, and Creative Cloud. Most of these were designed to correct minor bugs, but a significant zero-day vulnerability was also included among the fixes. Assigned identifier CVE 2019-7089, the flaw can have serious repercussions if not quickly patched.
In 2018, a vulnerability in Adobe reader, since dubbed “Bad-PDF”, was disclosed to the public. The vulnerability was exploited to steal NTLM hashes from a Windows machine and send them back to an attacker. Since though, there was a patch and it is no longer an active threat. Of course, history tends to repeat itself. The newly revealed vulnerability does practically the same thing as Bad-PDF, it is just located in a different place. If you haven’t already applied the patch, you’re at risk.
How CVE 2019-7089 Works
The problem occurs when a malicious PDF embedded with a remote XML stylesheet is sent to a recipient and opened in Adobe Reader. In layman’s terms, the PDF formats in such a way that Reader must reach out to a specified server and download another remote PDF to correctly display its contents. If an attacker sends this special PDF, they can force Reader to contact a malicious server under their control. In turn, this immediately notifies the attacker when you open the PDF and allows them to steal NTLM hashes – the encrypted version of your Windows passwords – via the connection.
The information received when this vulnerability is successfully exploited can be particularly useful to a hacker. There are websites and programs readily available that can crack the hashes they stole, letting them access your passwords. It’s even faster and easier for them to do this if you don’t have a strong password policy in place.
What This Means for You
The seriousness of this Zero-Day vulnerability is a call-to-action. It’s time to re-educate yourself on what patching means. It’s easy to grow complacent, letting Microsoft handle the heavy lifting on Patch Tuesday for Windows. But the fact of the matter is that OS patching isn’t enough to cut it anymore in today’s security climate. Operating systems are no longer the focus for hackers; it’s the other programs you don’t think about that are the real targets. Google Chrome? Check. Adobe products? Check. Oracle JDK? Check.
The latest vulnerability reveal from Adobe should be a wake-up call and makes a case for 3rd party patching policies. Every day brings new-found holes and new holes mean new ways for hackers to get into your network.
What You Should Do
- The first and most important action you should take is to make sure all your Adobe software is up-to-date on its patches and updates. If they’re not, ensure that you download and install them immediately.
- Educate your users on the dangers of opening PDFs from unknown sources.
- IT Administrators: Disable external SMB access in your firewall to prevent NTLM hash leakages.
- Enable Protected View for all PDF files in Adobe Reader. See the ‘Mitigation Options’ section here for more information.
- Implement and maintain a strong password policy. If all else fails, don’t make an attacker’s job easier if they do access those hashes.
- Consider a 3rd party patching solution. ADNET’s Foundations services can patch some of these third-party applications – contact your ADNET Engagement Manager to discuss 3rd party patching and coordinate a review of these policies!