Over the last several years, the industry has experienced a spike in research focused on finding a wide variety of vulnerabilities in PDF rendering applications. Just look at the security advisories from Adobe, FoxIt, Google, and Microsoft. Everything from classic memory corruption issues like buffer overflows, use-after-frees, and type confusions to the more esoteric JavaScript API restriction bypasses are being patched on a monthly basis. This increase in discoveries is driven by the hardening of previously popular attack vectors, like the web browser, and the fact that the PDF rendering engines support a tremendous amount of functionality. Along with standard PDF viewing, they offer ways of annotating and indexing PDF files and expose a rich set of JavaScript APIs that help in automating tasks. It??s a unique playground for attackers to take advantage of when conducting targeted attacks.
With all these bugs being patched, one begins to wonder if these are all new discoveries or something a little bit more unnerving. Is it possible that the vendor patches were ineffective and that researchers are discovering ways to re-trigger previously patched vulnerabilities? The answer is yes! This talk drills into this topic by exposing modern vulnerabilities targeting Adobe Acrobat and, more importantly, how these vulnerabilities were ultimately resolved after multiple disclosures. We start by taking a detailed look at the attack surface exposed by Adobe Acrobat. We then dive into multiple vulnerabilities that were purchased by the Zero Day Initiative program and describe how Adobe found the bugs so nice they patched them twice. These failed patches highlight the complexities of Acrobat and demonstrate the need for vigilance amongst researchers reporting bugs to Adobe. A patch is good; a solution is better.