Check Point cyber security experts found almost 53 new and critical vulnerabilities in Acrobat Reader, during a 50-day experiment with WinAFL fuzzer
Adobe Reader has almost 53 new and critical vulnerabilities. It has been discovered by the Check Point cyber security experts, who analyzed the software in the last 50 days using common Windows fuzzing framework WinAFL. The total number of new vulnerabilities reported in 2017 was about 14,000, a high point compared with previous years and more than double the amount found in 2016, according to Check Point. The researchers attribute the spike to the growing popularity of “fuzzers,” or automatic vulnerability-finding tools, which are maturing and growing more accepted as their capabilities are refined. Fuzzers are not new – they’ve been around for more than twenty years – but they are becoming more accessible and capable. Professional threat researchers commonly use fuzzing in lab environments to find new vulnerabilities in hardware and software. Security experts often avoid them because they are perceived to be a hassle, but adoption is increasing.
Check Point choose the WinAFL automatic vulnerability-finding tool to scan Adobe Reader, hunting for potential vulnerabilities
According to Dark Reading, for their fuzzer, the Check Point cyber security researchers chose WinAFL, a common Windows fuzzing framework, and targeted Adobe Reader in “the most vanilla experiment we could think of,” they explain in a report on the findings. A 50-day timeframe was chosen for the full project: reverse-engineering code, hunting for potential vulnerable libraries, writing harnesses, and running the fuzzer itself. WinAFL, a fork of AFL for Windows, is a coverage guided genetic fuzzer built and maintained by Ivan Fratric of Google’s Project Zero. The Windows version uses a different style of instrumentation, which let researchers target closed source binaries, they report. They found WinAFL to be effective in finding file format bugs, especially in compressed binary formats.
How the fuzzers process should be done
Running the fuzzers is pretty straightforward, the Check Point cyber security experts say, and should be done in the following order. Run the fuzzers, check coverage and crashes, investigate coverage, employ the “cmin” process, and repeat. A bot should be used to check the status of all fuzzers, graph paths over time for each, crash triage and generate a report, and restart dead fuzzers. “We can’t stress enough how important it is to automate these tasks,” they write. “Otherwise, fuzzing is tedious and error prone.” Their strategy led to the discovery of 53 critical bugs in Adobe Reader and Adobe Pro, and they repeated the process for different parsers to come up with their final list of CVEs.