cbcvebase.
CVE-2010-2883
published 2010-09-09

CVE-2010-2883: Stack-based buffer overflow in CoolType.dll in Adobe Reader and Acrobat 9.x before 9.4, and 8.x before 8.2.5 on Windows and Mac OS X, allows remote attackers…

PriorityP185high7.3CVSS 3.1
AVLACLPRLUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-06-22
Exploited in the wild
EPSS
82.48%
99.6th percentile
Stack-based buffer overflow in CoolType.dll in Adobe Reader and Acrobat 9.x before 9.4, and 8.x before 8.2.5 on Windows and Mac OS X, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a PDF document with a long field in a Smart INdependent Glyphlets (SING) table in a TTF font, as exploited in the wild in September 2010. NOTE: some of these details are obtained from third party information.

Affected

4 ranges
VendorProductVersion rangeFixed in
adobeacrobat>= 8.0 < 8.2.58.2.5
adobeacrobat>= 9.0 < 9.49.4
adobeacrobat_reader>= 8.0 < 8.2.58.2.5
adobeacrobat_reader>= 9.0 < 9.49.4

Detection & IOCsextracted from sources · hover to see the quote

hashb261f49fb6574af0bef16765c3db2900a5d3ca24639e9717bc21eb28e1e6be77
hashc982d2ab066c80f314af80dd5ba37ff9dd99288f
filenamerundll32.exe
  • Infected PDF files drop and execute an embedded executable (Virus.Win32.ASRUEX.A.orig) in the background while decrypting and displaying the original PDF host file using XOR, to avoid user suspicion. Monitor for Adobe Reader/Acrobat spawning unexpected child processes.
  • The malware injects a DLL into a legitimate Windows process memory. Monitor for unexpected DLL injection events associated with processes spawned by Adobe Reader or Acrobat.
  • The malware infects files with file sizes between 42,224 bytes and 20,971,520 bytes. This size range can be used as a heuristic filter when scanning for infected host files.
  • For infected executable files, the Asruex variant appends the compressed/encrypted original host file as an .EBSS section. Scanning PE files for an anomalous .EBSS section can help identify infected executables.
  • ·The exploit only affects Adobe Reader versions 9.x before 9.4 and Acrobat versions 8.x before 8.2.5 on Windows and Mac OS X. Systems running patched or newer versions are not vulnerable.

CVSS provenance

nvdv3.17.3HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck7.3HIGH
cisa7.3HIGH
vendor_redhat7.3HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.