Ο hacker Mateusz Jurczyk από το Google Project Zero revealed 15(!) remote code execution vulnerabilities included in a single devastating hack against Adobe Reader and Windows.
The security researcher (@j00ru) of Google Project Zero presented the findings at congress security Recon entitled A story of cross-software ownership, shared codebases and advanced exploitation [PDF ] without big fanfare and published a PoC demonstration video.
The most important vulnerabilities are in 32-bit systems (CVE-2.015 to 3.052) and 64-bit systems (CVE-2015-0093 vulnerability).
Also in the Adobe Type Manager font (ATMFD.dll) font that has a section that supports 1 and 2 type fonts in the Windows kernel from Windows NT 4.0.
Jurczyk states that BLEND exploits are "absolutely reliable" and are related to the management of CharStrings which are responsible for designing the shape of each letter to a specific size.
A summary of the vulnerabilities discovered by Jurczyk is available in the image below (click to enlarge).
Each of 15's vulnerabilities discovered by Jurczyk is from a seemingly unexplored area and can cause remote code execution or privilege escalation in Adobe Reader or in the Windows kernel.
Microsoft and Adobe have made it available directly three updates.
See PoC
Information-Photos: ElReg
