New Adobe 0-day

Yesterday, murmurings of a new Adobe exploit surfaced [see for example here]. Adobe have also posted some brief information about this vulnerability (CVE-2009-4324) here.

At this point it is not clear exactly how widespread attacks targeting this vulnerability actually are. One thing is for sure though, as information spreads, we are likely to see the volume increase.

Detection for one malicious sample seen has been added as Troj/PDFJs-FS. The payload of this particular attack is as follows.

  • If the vulnerability is successfully exploited, a downloader Trojan is dropped and run. Detection for this has been added as Troj/Dloadr-CXT.
  • The downloader attempts to download another executable from a remote server. This component is pro-actively detected as Mal/Behav-027.

As discussed previously within this blog (for example here), and in the above ShadowServer posting, the best mitigation against this attack is to disable JavaScript within Adobe Reader. I wonder how long before this is a default option (at least for non-trusted/authorized documents)?

The Sophos advisory for this vulnerability has been posted here.