Since receiving samples of the latest Adobe vulnerability SophosLabs analysts have been working on protecting our customers. Detection for the PDF file known to exploit this vulnerability has been added as Troj/SWFDlr-S.
The payload installed by this file is proactively detected as Mal/DownLdr-AC (since Sep 2008). In this blog post I will describe various mitigation strategies that we have been testing.
- Renaming authplay.dll Our testing shows that this workaround, at least for this sample, works successfully (as claimed by Adobe). Acrobat will work normally on regular PDFs, but on exploited files (and potentially others with embedded SWF files), it will crash, but the exploit will fail.
- Alternative PDF reader The exploit depends upon embedded SWF content, so PDF readers which ignore this ought to be safe.
Thanks to my colleagues in our Sydney lab for this analysis.
Customers can read the vulnerability assessment page for further details and updates when available.