Sophos Cloud OptixUpdate: After analyzing the payload that is downloaded by the in the wild sample provided by @snowfl0w I can report that Sophos detects the payload as Troj/Agent-OOH. Kaspersky is reporting that payloads have been seen that are digitally signed using a legitimate software signing certificate similar to Stuxnet.
Adobe’s Acrobat and Reader products are once again in the spotlight for a new vulnerability disclosed by @snowfl0w at the contagio malware dump blog.
There is one big difference between this vulnerability and others recently patched in Reader. The last few advisories were actually flaws in Adobe Flash and you could disable the ability to render flash in Reader to once again mitigate against the flaws.
The sample I have does require JavaScript to be enabled. I do not know whether the vulnerability itself requires JavaScript, but it would seem that it does not. Adobe did not suggest disabling Javascript as a mitigation technique. If you do disable JavaScript it will stop the wild sample that we have analyzed, so it may be worth giving it a try.
Adobe’s advisory does not contain any mitigation steps which implies that none are known to work. They have classified the bug as “critical” and I would be surprised if they did not release an out of band fix for something this dangerous.
To provide you with some context as to how it would look if you were to receive and launch one of these PDFs, I put together a quick YouTube video demonstrating how it works.
Like this video? Why not subscribe to the SophosLabs channel on YouTube. This video is also available in High Definition.
The best protection at the moment is to be sure your anti-malware vendor has provided protection against the known samples and be sure you are scanning all incoming email and web content for PDFs exhibiting malicious characteristics. Sophos has published protection for our customers as Troj/PDFJs-ME.
I will post updates regarding patches and other information as it becomes available.