APSA10-02: BOPs and the Adobe 0-day

Filed Under: Adobe, Malware, SophosLabs, Vulnerability

Adobe
Just a quick update on the latest Adobe zero-day vulnerability (APSA10-02) that has come to light this week. You may well have already watched the video Chet posted yesterday. We have also published an advisory page for this vulnerability as well.

As mentioned in Chet's post and the advisory, detection for this threat was provided in the form of Troj/PDFJs-ME. However, even prior to this detection being published, Sophos customers were already protected thanks to Buffer Overflow Prevention (BOPs).

In my tests, attempting to open the malicious PDF on a machine protected by SAV 9.5 (prior to the Troj/PDFJs-ME detection being available) resulted in an BOPs alert:

Testing was performed on Windows XP SP3, using SAV 9.5 (updated September 6th) and Adobe Reader v9.3.4. BOPs was enabled (of course) and not running in alert only mode.

Only the other week I was trying to explain the role of BOPs in layered protection at the endpoint to some customers. This case provides a perfect illustration of valuable this form of generic protection against such attacks can actually be!

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Fraser is one of the Principal Virus Researchers in SophosLabs. He has been working for Sophos since 2006, and his main interest is in web related threats.