Analyzing the first ROP-only PDF exploit

Unlike Internet Explorer zero-day exploits that we have seen in the past, this Adobe Reader zero-day exploit is fully “weaponized.” This exploit, based on return-oriented programming (ROP) uses multiple evasion techniques such as highly obfuscated JavaScript, ROP-only shellcode, and multi-staged encrypted malware to bypass network and endpoint security detection and protection. Its exploitation technique is similar to the old iOS jailbreak exploit that can be used to defeat the iOS code-signing enhancement. The exploitation happens in a split second; thus the victim who opens that original malicious PDF file will not observe any abnormal behavior.

Takeaway: As suggested in prior security nuggets: Trust, but verify. Don’t open just any file sent to you, even if it’s by a known source. Keeping antivirus and DLP products up-to-date can help only to some extent. The increase in BYOD across organizations results in much faster spread as many users do not have their endpoints secured as tightly as they need to be.