« September 2009 · March 2010 · October 2014 »

November 2009
MonTueWedThuFriSatSun
      01
02030405060708
09101112131415
16171819202122
23242526272829
30      
December 2009
MonTueWedThuFriSatSun
 010203040506
07080910111213
14151617181920
21222324252627
28293031   
January 2010
MonTueWedThuFriSatSun
    010203
04050607080910
11121314151617
18192021222324
25262728293031

Calendar:

  • 29.01.2010: Pushdo DDoS'ing or Blending In?
  • 19.01.2010: Cyber Espionage: Death by 1000 Cuts
  • 16.01.2010: DDoS for Hire - More cooperation, or new competition? UPDATED
  • 09.01.2010: DDoS for Hire - More cooperation, or new competition?
  • 16.12.2009: Conficker may be forgotten, but it's not gone...
  • 14.12.2009: See below.
  • No entries for November 2009.
Newest first Oldest first

Monday, 14 December 2009

When PDFs Attack II - New Adobe Acrobat [Reader] 0-Day On the Loose


Greetings Everyone,

It has been a while since we have posted anything publicly, but we promise that we have been hard at work all this time. However, we come to you today with some bad news but hope to be of assistance. The Shadowserver Foundation has become aware of a new vulnerability affecting Adobe Acrobat [Reader] that is currently unpatched. Several tests have confirmed this is a 0-day vulnerability affecting several versions of Adobe Acrobat [Reader] to include the most recent versions of 8.x and 9.x. We have not tested on 7.x, but it may also be vulnerable.

We did not discover this vulnerability but have received multiple reports of this issue and have examined multiple different copies of malicious PDFs that exploit this issue. This is legit and is very bad. Adobe PSIRT has made a post on this issue and recommends you continually check their website for additional updates. Hopefully there will be some in the next day or two.

Exploit Details

We can tell you that this exploit is in the wild and is actively being used by attackers and has been in the wild since at least December 11, 2009. However, the number of attacks are limited and most likely targeted in nature. Expect the exploit to become more wide spread in the next few weeks and unfortunately potentially become fully public within the same timeframe. We are fully aware of all the details related to the exploit but do not plan to publish them for a few reasons:

1) There currently is no patch or update available that completely protects against this exploit. (We don't want this any more widespread than it is already.)
2) There is little to no detection of these malicious PDF files from most of the major Antivirus vendors.

With that said we can tell you that this vulnerability is actually in a JavaScript function within Adobe Acrobat [Reader] itself. Furthermore the vulnerable JavaScript is obfuscated inside a zlib stream making universal detection and intrusion detection signatures much more difficult. On the bright side though, there are some solutions to this problem.

Solution

We have said it before and we will say it again: Disable JavaScript.

Disabling JavaScript is easy. This is how it can be done in Acrobat Reader:

Click: Edit -> Preferences -> JavaScript and uncheck Enable Acrobat JavaScript

We have not had time to fully test but enabling hardware DEP for systems that support it may also mitigate this issue.

Antivirus detection should improve in the coming weeks and hopefully a patch. Right now only 5 out of the 41 different Antivirus vendors used by Virustotal are detecting this threat. Even then their detection appears to be generic and is not currently specifically detecting this exploit. The 5 vendors to detect the threat are:

  • (McAfee-GW-Edition) *note this is not the same as McAfee Desktop or Mail Server Edition
  • (eSafe)
  • (NOD32)
  • (AntiVir)
  • (Kaspersky)

We recommend keeping a close eye on posts from Adobe and that any updates be applied immediately. In the interim we strongly recommend you disable JavaScript. Also, until we move to a CMS/blog platform, we are still using our mailing list to update people on our posts. Feel free to subscribe but keep in mind it is 100% public.

=>Posted December 14, 2009, at 08:07 PM by Steven Adair and guest co-blogger Matt Richard