Jasiel Spelman, Brian Gorenc, Abdul-Aziz Hariri

Bugs so nice they patched them twice! A (continuing?) story about failed patches

Abstract

Over the last several years, the industry has experienced a spike in research focused on finding a wide variety of vulnerabilities in PDF rendering applications. Just look at the security advisories from Adobe, FoxIt, Google, and Microsoft. Everything from classic memory corruption issues like buffer overflows, use-after-frees, and type confusions to the more esoteric JavaScript API restriction bypasses are being patched on a monthly basis. This increase in discoveries is driven by the hardening of previously popular attack vectors, like the web browser, and the fact that the PDF rendering engines support a tremendous amount of functionality. Along with standard PDF viewing, they offer ways of annotating and indexing PDF files and expose a rich set of JavaScript APIs that help in automating tasks. It’s a unique playground for attackers to take advantage of when conducting targeted attacks.

With all these bugs being patched, one begins to wonder if these are all new discoveries or something a little bit more unnerving. Is it possible that the vendor patches were ineffective and that researchers are discovering ways to re-trigger previously patched vulnerabilities? The answer is yes! This talk drills into this topic by exposing modern vulnerabilities targeting Adobe Acrobat and, more importantly, how these vulnerabilities were ultimately resolved after multiple disclosures. We start by taking a detailed look at the attack surface exposed by Adobe Acrobat. We then dive into multiple vulnerabilities that were purchased by the Zero Day Initiative program and describe how Adobe found the bugs so nice they patched them twice. These failed patches highlight the complexities of Acrobat and demonstrate the need for vigilance amongst researchers reporting bugs to Adobe. A patch is good; a solution is better.

BIO

Jasiel Spelman is a vulnerability analyst and exploit developer for the Zero Day Initiative (ZDI) program. His primary role involves performing root cause analysis on ZDI submissions to determine exploitability, followed by developing exploits for accepted cases. Prior to being part of ZDI, Jasiel was a member of the Digital Vaccine team where he wrote exploits for ZDI submissions, and helped develop the ReputationDV service from TippingPoint. Jasiel's focus started off in the networking world but then shifted to development until transitioning to security. He has a BA in Computer Science from the University of Texas at Austin. Twitter: @WanderingGlitch

Brian Gorenc is the Director of Vulnerability Research with Trend Micro. In this role, Gorenc leads the Zero Day Initiative (ZDI) program, which represents the world’s largest vendor-agnostic bug bounty program. His focus includes analyzing and performing root-cause analysis on hundreds of zero-day vulnerabilities submitted by ZDI researchers from around the world. The ZDI works to expose and remediate weaknesses in the world’s most popular software. Brian is also responsible for organizing and adjudicating the ever-popular Pwn2Own hacking competitions.

Abdul-Aziz Hariri is a security researcher with the Zero Day Initiative program. In this role, Hariri analyzes and performs root-cause analysis on hundreds of vulnerabilities submitted to the Zero Day Initiative (ZDI) program, which is the world's largest vendor-agnostic bug bounty program. His focus includes performing root-cause analysis, fuzzing and exploit development. Prior to joining ZDI, Hariri worked as an independent security researcher and threat analyst for Morgan Stanley emergency response team. During his time as an independent researcher, he was profiled by Wired magazine in their 2012 article, Portrait of a Full-Time Bug Hunter. In 2015, Abdul was part of the research team that submitted "Breaking Silent Mitigations - Gaining code execution on Isolated Heap and MemoryProtection hardened Internet Explorer" to the Microsoft bounty program. Their submission netted the highest payout to date from the Microsoft bounty program where the proceeds went to many STEM organizations. Twitter: @abdhariri