A micropatch released to fix an Adobe Reader Zero Day where an attacker could steal hashed password values.
The issue came out in late January and Alex Inführ, who discovered the hole, released proof-of-concept (PoC) code.
This vulnerability allows a remote attacker to steal user’s NTLM hash included in a SMB request. It also allows a document to “phone home” to let the sender know the user has viewed the document, according to a post by 0patch.
The exploit does not rely on a software error or specific vulnerability. Instead, attackers leverage weaknesses in a content embedding feature for PDF files, 0patch said.
In this case, the problem lies within Adobe Reader DC and allows attackers to force a PDF file to automatically sent an SMB request to a threat actor’s server the moment a document is opened.
As mentioned, it allows the remote theft of an NTLM hash included in the SMB request. By “phoning home,” attackers are able to steal these hashed password values.