New Adobe 0-day

Filed Under: SophosLabs, Vulnerability

Yesterday, murmurings of a new Adobe exploit surfaced [see for example here]. Adobe have also posted some brief information about this vulnerability (CVE-2009-4324) here.

At this point it is not clear exactly how widespread attacks targeting this vulnerability actually are. One thing is for sure though, as information spreads, we are likely to see the volume increase.

Detection for one malicious sample seen has been added as Troj/PDFJs-FS. The payload of this particular attack is as follows.

  • If the vulnerability is successfully exploited, a downloader Trojan is dropped and run. Detection for this has been added as Troj/Dloadr-CXT.
  • The downloader attempts to download another executable from a remote server. This component is pro-actively detected as Mal/Behav-027.

As discussed previously within this blog (for example here), and in the above ShadowServer posting, the best mitigation against this attack is to disable JavaScript within Adobe Reader. I wonder how long before this is a default option (at least for non-trusted/authorized documents)?

The Sophos advisory for this vulnerability has been posted here.

You might like

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s