Update on the Adobe vulnerability

Image (1) pdfex.jpg for post 24482

On Friday, SophosLabs posted news about a new Adobe Reader vulnerability believed to be in the wild (CVE-2009-3459, security posting from Adobe here). Since then a few more details have surfaced.

Readers may have seen reports of a malicious PDF in the wild exploiting this vulnerability. Sophos products already detect and block this sample as Troj/PDFJs-DS.

If the malicious PDF successfully exploits CVE-2009-3459, it attempts to infect the victim with a backdoor Trojan. The executable payload is detected by Sophos as Mal/Generic-A, and the backdoor Trojan (DLL) the executable installs is detected as Troj/Protux-Gen.

Testing thus far (with Adobe Reader 9.1.3 and 9.1.0) suggests that successful exploitation is unreliable (just observing Reader application crashing). Customers should stay alert for tomorrow’s security update from Adobe to patch this issue.