PDF exploit - proactive detection confirmed

Filed Under: SophosLabs

After a significant number of enquiries yesterday, following the reports of the new zero-day vulnerability in Adobe Reader and Acrobat [CVE-2009-0658, APSA09-01], we finally got our hands on a sample to confirm the detection status. The malicious PDF is proactively detected as Mal/JSShell-B.

That's the good news. But readers should not be complacent. With further details of the vulnerability having been leaked it is only a matter of time before it gets incorporated into all the kits out there and bundled alongside the umpteen other exploits on malicious attack sites. And with an anticipated patch date from Adobe of March 11th [1] (let's hope that date comes in a bit), there is plenty of space for evil doings.

In the case of this specific sample, it attempts to exploit the vulnerability in order to infect the victim with a remote access Trojan. At the time of writing, the remote file was unavailable, but previously it was detected as Mal/Behav-254.

In addition to using up to date security software, users may well be interested in workarounds to protect themselves whilst waiting for the patch. These include:

  • Disabling JavaScript within the relevant products (Adobe Reader and Acrobat, see the Adobe advisory for affected product versions). This can be done from the Edit->Preferences menu in Adobe Reader.
  • Preventing IE from automatically displaying PDFs. This can be done via a Registry tweak described on the US-CERT notification.
  • Disable rendering of PDFs within web pages. This can be done from the Edit-Preferences menu in Adobe Reader.

I also recommend that users subscribe to Adobe's security notification service [2], to keep abreast of this (and future) vulnerabilities.

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s