How Microsoft helped neuter ‘double zero-day exploit’ before anyone was infected

Microsoft has provided more details about a recently patched critical zero-day attack on Adobe’s Acrobat Reader that could be combined with a less severe zero-day exploit against the Windows kernel to hack Windows 7 machines. 

The pair of related exploits were the source of a conflict in advisories posted by Microsoft and Adobe that each disclosed in May after investigating a malicious PDF document in March that was uploaded to Alphabet-owned VirusTotal. 

Adobe initially said there were no exploits in the wild for the Acrobat flaws it patched in May, but changed its advisory shortly after when Microsoft said someone other than it had an exploit for the related flaw in the Windows kernel. 

The flaw in Adobe and Microsoft software was discovered by ESET researcher Anton Cherepanov who said he found a “rare case” when an attacker was able to exploit Reader and Windows in order to bypass the Adobe Reader sandbox. Usually bypassing the Reader sandbox requires exploiting a bug in the operating system, but this one required combining a remote code execution flaw in Reader and then escalating privileges in Windows.

Windows 7 and Windows Server 2008 systems not patched today are still vulnerable and Microsoft would like users to know that if they had updated to Windows 10 they would not be vulnerable, even without the patch.