APSA10-02: BOPs and the Adobe 0-day

Just a quick update on the latest Adobe zero-day vulnerability (APSA10-02) that has come to light this week. You may well have already watched the video Chet posted yesterday. We have also published an advisory page for this vulnerability as well.

As mentioned in Chet’s post and the advisory, detection for this threat was provided in the form of Troj/PDFJs-ME. However, even prior to this detection being published, Sophos customers were already protected thanks to Buffer Overflow Prevention (BOPs).

In my tests, attempting to open the malicious PDF on a machine protected by SAV 9.5 (prior to the Troj/PDFJs-ME detection being available) resulted in an BOPs alert:

Testing was performed on Windows XP SP3, using SAV 9.5 (updated September 6th) and Adobe Reader v9.3.4. BOPs was enabled (of course) and not running in alert only mode.

Only the other week I was trying to explain the role of BOPs in layered protection at the endpoint to some customers. This case provides a perfect illustration of valuable this form of generic protection against such attacks can actually be!