More Bad News for Adobe - Zero Day



User avatar

Sr. Member
Sr. Member

Posts: 317

Joined: Wed Oct 29, 2008 10:25 pm

Post Tue Feb 24, 2009 5:43 am

More Bad News for Adobe - Zero Day

Adobe just cant catch a break. This is severe and many IT staff are going as far as moving to other vendors temporarily, my company included (foxit). Do what you can, with what you have.

Also, lol, funny as i just posted a whole bunch of shmoo talks with links to pdfs Doh

** HD Moore's writeup here

** Exploit code here

**Sourcefire has some snort updates for the attacks

http://www.snort.org/vrt/advisories/vrt ... 02-20.html

Zero-Day Attack On Adobe Acrobat And Reader Under Way, But Patch Is Weeks Away
Disable JavaScript in Reader, security experts say

A new attack exploiting a previously unknown bug in Adobe Acrobat Reader is on the loose and being called "very severe," but Adobe doesn't plan to release a patch for the buffer overflow vulnerability until next month.

The Shadowserver Foundation reports that several iterations of the attack are spreading in the wild via the popular Acrobat and Acrobat Reader applications. "The Shadowserver Foundation has recently become aware of a very severe vulnerability in Adobe Acrobat affecting versions 8.x and 9 that is currently on the loose in the wild and being actively exploited," blogs Shadowserver's Steven Adair. "Right now we believe these files are only being used in a smaller set of targeted attacks. However, these types of attacks are frequently the most damaging, and it is only a matter of time before this exploit ends up in every exploit pack on the Internet."

Adobe issued an alert about the vulnerability yesterday, describing it as a "critical" buffer overflow vulnerability in Versions 9 and earlier of both Adobe Reader and Acrobat. "This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system. There are reports that this issue is being exploited," Adobe said.

But an update for Adobe Reader 9 and Acrobat 9 won't be issued until March 11, the company said, and updates for versions 8 and 7 of the software tools "soon after."

In the meantime, the best way to defend against the attack is to disable JavaScript in Acrobat and Acrobat Reader, according to Shadowserver. This will prevent the malware from hitting your system, but it will still crash the application. "We would HIGHLY recommend that you DISABLE JAVASCRIPT in your Adobe Acrobat [Reader] products. You have the choice of a small loss in functionality and a crash versus your systems being compromised and all your data being stolen. It should be an easy choice," Adair blogged.

Shadowserver analyzed the exploit and found that the malicious PDFs carry JavaScript and exploit a non-JavaScript function call. So disabling JavaScript kills the exploit, but crashes the application.

Several antivirus firms, including Symantec and Trend Micro, can now detect the attack.
Last edited by Jhaddix on Tue Feb 24, 2009 8:23 am, edited 1 time in total.


Jr. Member
Jr. Member

Posts: 62

Joined: Thu Sep 04, 2008 5:28 pm

Post Wed Feb 25, 2009 1:40 am

Re: More Bad News for Adobe - Zero Day

hey guys i got this blog from a computer world where it says that a security reasercher as posted a home made pacth  for fresh vuln of pdf

A security researcher has published a home-brewed patch for a critical Adobe Reader vulnerability that hackers are exploiting in the wild using malicious PDF files, beating Adobe Systems Inc. to the punch by more than two weeks
Lurene Grenier, a vulnerability researcher at intrusion-prevention vendor Sourcefire Inc., posted the patch Sunday with the caveats that it applies only to the Windows version of Adobe Reader 9.0 and comes with no guarantees.

"The patch is just a replacement .dll -- AcroRd32.dll to be precise," said Grenier in a post to the Sourcefire vulnerability research blog. The .dll, which weighs in at 19MB, replaces the existing file in the "C:\Program Files\Adobe\Reader 9.0\Reader\" directory on Windows machines.

"No warranty expressed or implied, etc. etc.," concluded Grenier.

Return to Malware

Who is online

Users browsing this forum: No registered users and 1 guest

Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software