PDF expolit?

Does Nod32 protect against the recent PDF exploit on unpatched Acrobat systems?

http://www.theregister.co.uk/2007/10/24/pdf_exploit_in_the_wild/

 

You'd better kill that Adobe and use Foxit Software products:
http://www.foxitsoftware.com/

Smaller company , Smaller products , Ligher products , NO DINOSAURUS files , the free Reader is only 4 Mbs and one exe file only (not 120+ Mb like Adobe Reader 8 ) . Advise your clients on it , too.

Smaller company , less exploitable (in case something comes up)


And on the topic , I don't know.

 

Apparently not.

http://www.virustotal.com/resultado.html?58709775859b69b6b60e4c6bdaec35d6

 

Hi.

I think this is ESET signature for that exploit dated on October 23.

PDF/Exploit.Shell.A

 

Thanks Guys

Hitech - I tried Foxit but didn't like it. I found it displayed a PDF file with noticeably reduced quality.

 

May just a little bit worse than Adobe . I simply got tired of Adobe's dinosaurus programs and numerous updates (especially after v8 )

 

Yup...very light program, opens in the blink of an eye. I've started detesting Adobes Acrobat when version 6 came out...and those glacially long "opening" times..especially when opening a PDF through your web browser.

And nagging updates.

 

another vote for Foxit. Acrobat has become the perfect example of bloated software, absolutely dreadful program now.

If I have to use Acrobat I download one of the earlier versions from oldversion.com

 

Apparently that signature doesn't catch all variants, as NOD32 misses the sample I have.

 

+1 on Foxit. Not only is it faster and much lighter, it's not near as "network busy". We've been using it for over a year and have had zero problems.

 

Foxit is really good, but for some that might not be an option. There are several features of acrobat that foxit doesn't support, but for most users that only need to read some simple pdf's it's a very good option. I have to use acrobat 8.x for that reason and even if huge it takes about 1 second to start (a bit longer the first time after a reboot) so it's not that bad to use. I found version 7 to be much slower.
So i would also find it interesting to know if nod32 protect against this exploit and a recommendation for other programs is really not interesting at all. I do believe that the latest update from Adobe fixed that exploit though.

 

According to virustotal screenshot apparently yes, it doesn't detect all variants. Maybe they will add some sort of generic signature for this exploit in the near feature.

 

Or open source Sumatra PDF viewer by Krzysztof Kowalczyk:
http://blog.kowalczyk.info/software/sumatrapdf/

 

Try pdf-xchange if you do not like foxit. It is feature rich, lightweight (not as light as foxit), free and runs in many Windows formats including Vista.

http://www.docu-track.com/home/prod_user/pdfx_viewer/

 

It seems that they revised the "PDF/Exploit.Shell.A" signature in the new 2620 update.
http://www.eset.com/joomla/index.php?option=com_content&task=view&id=4073&Itemid=26

 

lol, this just shows what a bad piece of software Acrobat has become.

Within 24 hours, hackers had managed to exploit the patch which Adobe issued to fix the original exploit.

http://www.internetnews.com/ent-news/article.php/3707666

 

Which is one more reason I would get rid of Adobe
This is ridiculous - release a vulnerable patch

 

I don't think you are correct in saying the patch is vulnerable. If you read the article provided by dannyboy closely, it appears that the new PDF exploit uses the problem fixed by the patch - trying to infect folks before they update Acrobat reader to the new version 8.1.1.

From the article:
"Adobe issued a patch this past week and the first thing Russian criminals did was examine it, extract the problem it fixes, and have now unleashed a flood of PDF spam with an exploit in it that will install rootkits and Trojans on your computer."

...

"Adobe fixed the flaw Monday and released Acrobat Reader 8.1.1, and the company is working to fix the 7.0.x version as well."


...

"Dunhan said the exploit emerged in the wild of the Internet within a day of Adobe issuing its patch and they are counting on considerable lag between the release of the patch and individuals updating their computers."

 

Patches may introduce/reopen vulnerabilities. But, you misunderstood the article. It says that malware writers have reverse engineered the patch to see what it's fixing. Then, they release the exploit code and bet on unpatched machines, which are going to be a lot. Very few people keep third-party applications up-to-date.

 

You are right . I apologise

 

No need to apologize

 

For those interested in a simple method of keeping third party apps up to date, you might try the Secunia Software Inspector site:

http://secunia.com/software_inspector/

 

Current NOD32 2621 (2007.10.2 still can not detect

Sample file has been sent.

~ VirusTotal screenshot removed per this Policy. Please submit infected files to samples[at]eset.com. - snapdragin ~

 

Bloated is an understatement to say the least, and whats worse is it continues to swell with each new version

Might be the reason i reverted all the way back to Reader v.5

Seems these malware exploiters focus mostly on the latest releases anyway especially if they even go after the patches?

 

how do PDF's print - after all,that's their PURPOSE originally - their web use is secondary and quite honestly a pain