« February 2009 · August 2009 · September 2010 »

April 2009
MonTueWedThuFriSatSun
  0102030405
06070809101112
13141516171819
20212223242526
27282930   
May 2009
MonTueWedThuFriSatSun
    010203
04050607080910
11121314151617
18192021222324
25262728293031
June 2009
MonTueWedThuFriSatSun
01020304050607
08091011121314
15161718192021
22232425262728
2930     

Calendar:

  • No entries for June 2009.
  • No entries for May 2009.
  • 29.04.2009: Federal Reserve Spam/Malware Attack is After Your Data
  • 21.04.2009: Waledac Joe Jobbing Again?
  • 16.04.2009: Waledac - New Campaign, New Domains, GeoCities, and SpywareProtect2009
  • 01.04.2009: Waledac Joe Jobbing Blizzard Image Hosting?
Newest first Oldest first

Saturday, 21 February 2009

More on the Adobe Acrobat 0-Day


Adobe Advisory Issued


First we are a glad to see that Adobe issued Adobe Product Security Advisory 09-01 (APSA09-01) within a few hours of our initial posting on this issue on Thursday. The advisory is more of an acknowledgment of an issue and relatively light on any details. However, a few items of interested can be extracted from this advisory.

1) The earliest patch will be for Adobe 9 and will not be available until March 11, 2009. Patches for other versions will follow.
2) The issue apparently affects Adobe 9, 8, and 7 on *all* platforms.

Work Arounds & Windows Group Policy Object (GPO)


As we mentioned the main work around for this is to disable JavaScript. Acrobat will still crash but the exploit should fail. While all platforms are reportedly affected, we should note that we have only seen active exploits for Windows and not Linux or OS X platforms. Once again to disable JavaScript in Acrobat [Reader], take the following steps:

Click: Edit -> Preferences -> JavaScript and uncheck Enable Acrobat JavaScript

Elazar Broad also wrote into us the other day and provided a GPO that can be used to disable JavaScript for Adobe Acrobat [Reader]. We have not tested it but you can grab it by clicking here. Basically these are the keys of interest (from HKEY_CURRENT_USER):

Adobe Acrobat Reader:
Software\Adobe\Acrobat Reader\x.0\JSPrefs
Adobe Acrobat:
Software\Adobe\Adobe Acrobat\x.0\JSPrefs

Setting the DWORD "bEnableJS" to 0 will disable JavaScript.

Not so New After All?


We are also seeing more evidence that this exploit may not be so new after all. Various write-ups from different vendors, Symantec, McAfee, and Sophos, may possibly indicate this exploit has been around since mid-January and potentially in December. We have not been able to validate any of this yet, but we are thinking this exploit was likely in the wild since some time in January. Unfortunately we do not have a comprehensive list of command and control servers that we can share.

Details Released


We knew it would not take too long -- the details of the vulnerable function and enough information to potentially recreate the exploit have now been published publicly. While we intentionally did not release these details, they are out there now. Expect that a wider set of attackers will now start using this exploit in the near future before the patch is released. In other words...DISABLE JAVASCRIPT and patch as soon as it becomes available!

=>Posted February 21, 2009, at 10:24 AM by Steven Adair