- 29.01.2010: Pushdo DDoS'ing or Blending In?
- 19.01.2010: Cyber Espionage: Death by 1000 Cuts
- 16.01.2010: DDoS for Hire - More cooperation, or new competition? UPDATED
- 09.01.2010: DDoS for Hire - More cooperation, or new competition?
- 16.12.2009: Conficker may be forgotten, but it's not gone...
- 14.12.2009: See below.
- No entries for November 2009.
Monday, 14 December 2009
When PDFs Attack II - New Adobe Acrobat [Reader] 0-Day On the Loose
It has been a while since we have posted anything publicly, but we promise that we have been hard at work all this time. However, we come to you today with some bad news but hope to be of assistance. The Shadowserver Foundation has become aware of a new vulnerability affecting Adobe Acrobat [Reader] that is currently unpatched. Several tests have confirmed this is a 0-day vulnerability affecting several versions of Adobe Acrobat [Reader] to include the most recent versions of 8.x and 9.x. We have not tested on 7.x, but it may also be vulnerable.
We did not discover this vulnerability but have received multiple reports of this issue and have examined multiple different copies of malicious PDFs that exploit this issue. This is legit and is very bad. Adobe PSIRT has made a post on this issue and recommends you continually check their website for additional updates. Hopefully there will be some in the next day or two.
We can tell you that this exploit is in the wild and is actively being used by attackers and has been in the wild since at least December 11, 2009. However, the number of attacks are limited and most likely targeted in nature. Expect the exploit to become more wide spread in the next few weeks and unfortunately potentially become fully public within the same timeframe. We are fully aware of all the details related to the exploit but do not plan to publish them for a few reasons:
We have not had time to fully test but enabling hardware DEP for systems that support it may also mitigate this issue.
Antivirus detection should improve in the coming weeks and hopefully a patch. Right now only 5 out of the 41 different Antivirus vendors used by Virustotal are detecting this threat. Even then their detection appears to be generic and is not currently specifically detecting this exploit. The 5 vendors to detect the threat are:
- (McAfee-GW-Edition) *note this is not the same as McAfee Desktop or Mail Server Edition
=>Posted December 14, 2009, at 08:07 PM by Steven Adair and guest co-blogger Matt Richard