Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Adobe 0-day in the wild - again InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Adobe 0-day in the wild - again

Published: 2009-12-15
Last Updated: 2009-12-16 20:15:36 UTC
by Johannes Ullrich (Version: 3)
10 comment(s)

Update2:  : It looks like Adobe will not be releasing an update to resolve this issue until Jan 12!  Find their full advisory with the release date here ==>

Handler on Duty: Rob VandenBrink


Update1:  One of the samples that we had access shows the following behavior that could help you to identify infections in your network/system:

The exploit has the executable included: AdobeUpdate.exe - Size 9.356k (hash 069175846447506b3811632535395bc3 ).

This executable will download another file called ab.exe (and save it as winver32.exe on C:windows folder). You may also check your logs for the website hxxp:// . This file is hosted there.

The current sample has the following specs: Size 386,016k and hash 686738eb5bb8027c524303751117e8a9 .


Handler on Duty: Pedro Bueno (pbueno //&&// isc. sans. org)



It's not ground hog day, but it surely feels like it. The Shadowserver Foundation [1] is reporting about spotting another Adobe 0-day in the wild

Adobe acknowledged the issue in a PSIRT post [2].

The quick summary: The is currently no patch available and commonly used anti-virus products appear to be mostly missing it. The bug requires JavaScript. Turning off JavaScript support appears to be your best defense. I could recommend that you don't open any malicious PDFs. But it would probably be as useful to go and hide in a cave until all Adobe bugs got fixed.

Please let us know if you find any malicious PDFs like this, and let the Adobe PSIRT know as well.



Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords: 0day adobe pdf
10 comment(s)
Diary Archives