New Adobe Reader and Acrobat Exploit in the Wild

Adobe Reader and Acrobat issue
http://blogs.adobe.com/psirt/2009/10/adobe_reader_and_acrobat_issue_1.html

Adobe Acrobat Reader Remote Code Execution Vulnerability
http://www.securityfocus.com/bid/36600/discuss

Targeted exploits ususally suggest email as the attack vector at an organization, either with a link to download the PDF file, or the PDF file arriving as an attachment.

However, once the exploit code is available, it could appear in other web-based attacks as seen in the past.

Remote Code execution suggests the same type of exploit we've seen in the past, where code inside the PDF file connects out to the internet to a server to download malware.

-rich

 

Adobe is having the Microsoft 2005 moment ...
Mrk

 

From Trend Micro:
http://blog.trendmicro.com/new-adobe-zero-day-exploit/

 

Thanks for that article. Other researchers who had the PDF file were stingy and didn't give any information about the exploit code.

Here is the pertinent part from TrendMicro:

I've not seen such a PDF file to test, but the same type of exploit can be shown using an earlier malicious document file, as mentioned by TrendMicro:

Malicious RTF Document in Targeted Email Exploit
https://www.wilderssecurity.com/showthread.php?t=244726

Whether the executable is extracted from the document, or attempts to download via code calling out to a server, it is easily blocked with proper protection in place.

Note that both the RTF exploit and this current PDF exploit are targeted attacks, usually meaning an organization, where the policy "don't open attachments" doesn't apply, especially when email lists are compromised and the recipient either trusts the sender, or has good reason to think the attachment is legitimate.

-rich

 

Peter, I agree ... too much bloat and slowness ...
Mrk

 

Which one is better Foxit or PDFExchange?

Thanks

 

Security Updates Available for Adobe Reader and Acrobat:
http://www.adobe.com/support/security/bulletins/apsb09-15.html

 

I understand.

Currently I have version 8.x installed, with javascript disabled and I removed the ActiveX.

There may be exploits but I can't be bothered to update it.
I have never been infected by/through it, and I don't expect that to happen.

 

Sorry, I don't know much about DEP.

----
rich

 

Over the past year I've tested 37 malicious PDF files - some in web-based attacks, others just opening on disk. Only TWO triggered an exploit on my small, non-bloated, 1.5-seconds-to-open Acrobat Reader v.6.

I've thought about downloading a newer version to try the bad files, but I didn't want to waste the time.

----
rich

 

Update: PDFiD Version 0.0.9 to Detect Another Adobe 0Day
PDFiD is included in VirusTotal.

 

Yes, hardware DEP is the one interested, because it prevents code execution from stack/heap (and this exploit is executing code from heap)

 

Foxit and Free expert PDF viewer seem buggy to use. I have to use Adobe Reader I hate to use. It. I've disable all the crap it tries to start on my system. So that's about it. Banks, bills they all use Adobe Reader templates which forces you to use it. Foxit and Free Expert PDF Viewer can't open PDF that required Adobe Reader 9. I also create PDF Creator for bills paid to save it to the HDD just to cut back on toner/drum usage here and paper, thus color ink carts are expensive!