Return of the Unpublished Adobe Vulnerability

The last two days have been pretty busy. I have been analyzing the latest Adobe vulnerability. It all began when HD alerted me to a post on Mila Parkour's "contagio malware dump" blog. After giving the blog post a once over, it was pretty clear that she had discovered a live sample of a previously unpublished and currently unpatched vulnerability. The clearest indicator was the screen shot of the Adobe Reader "About" dialog with dropped files showing. Great image! This most definitely piqued my interest.If you want to skip the details and see what is new, click here.As a technical person, I then re-scanned to glean the technical details. One awesome piece of information was:--Accorinding to *REDACTED*, it is "vuln func in cooltype.dll 0x0803dcf9 due 2 incorrect parsing of TTF font and heapspray is done in JS with ROP code (bypasses DEP)" From this single line, *REDACTED* pretty much laid it all out on the table. Opening CoolType.dll from 9.3.4 up in IDA Pro showed a function where indeed "strcat" was being used. However, I didn't have much more detail at this point, so I asked Mila for the sample via DM and went back to my previous task (working on opcodedb).An hour or so later, I noticed that Mila had responded (continue reading...)