Adobe Acrobat/Reader 0-day in Wild, Adobe Issues Advisory

Published: 2010-09-08. Last Updated: 2010-09-08 18:03:06 UTC
by John Bambenek (Version: 1)
18 comment(s)

We just received word that there is a report of a 0-day exploit for Adobe Acrobat/Reader being exploited in the wild. Secunia has a brief write up and here is the link to the original advisory.  The exploit was discovered in a phishing attempt with the subject of "David Leadbetter's One Point Lesson".  Adobe has issued an advisory and references CVE-2010-2883 (which just shows as reserved at this point with no details).  It does effect the latest version of Acrobat/Reader and Adobe is investigation a patch. More to come on that.

The exploit in the wild I'm aware of causes a crash in Acrobat/Reader and then tries to open a decoy file.  So the good news is that, as of right now, it's a "loud exploit".  Early VirusTotal scans also had partial coverage under various forms of "Suspicious PDF" categories.  At this point, standard precautions apply (don't open PDFs from strangers) and this can probably only really be used in a phishing style scenario.  Will update this dairy as needed with developments.

--
John Bambenek
bambenek at gmail /dot/ com

18 comment(s)

Comments

Adobe is killing us! Secure Document Format (SDF) please!!! (I think I read something about that recently.)
John wrote "Secure Document Format (SDF) please!!!"

Should that not be Secure Portable Document Format (SPDF)? Security is paramount but don't forget the platform/device independency.
Seriously. This is getting ridiculous. Maybe they could hurry up on that sandboxing at least.
Does anyone know if FoxIt is more secure? (I guess, how could it be worse than Adobe Reader at this point?) I've made the switch on my personal PC, and I'm thinking of switching my clients as well.
I'm not sure Foxit is more secure but there is less bloat in it and I agree how could it be less secure.
I switched my users to it without issue.
As with many or all of the recent Adobe PDF hacks, you can stop this one by disabling JavaScript within Reader/Acrobat.

The Metasploit blog has an excellent technical write-up today: http://blog.metasploit.com/2010/09/return-of-unpublished-adobe.html
Receiving active infection at a rate of 1 every 5 seconds.
Subject: Here you have
Body:
Hello:
This is The Document I told you about,you can find it
Here.http: / / www . share d ocuments . com / library / PDF_Document21 . 025542010 . pdf
Please check it and reply as soon as possible.
Cheers,


(Not the the domain name has only one D in it.)

SB
Update: the real link (:-S) is:

http: // members . multimania . co . uk / yahoophoto / PDF_Document21_025542010_pdf . scr

SB
Since some of the most well known virus companies are not detecting the scr file according to virus totals, can anyone say what the file does if anything at this point?? We got blasted about 2 hrs ago. I have one machine offline until I can tell what it does.
We got hit with this an hour ago and it spread like wildfire. It seems to spam all exchange distribution lists with the original e-mail. It was sending to every one of our distribution lists. The exchange server is halted now until we can contain this.

Diary Archives