Threat Level: green Handler on Duty: Russell Eubanks

SANS ISC: InfoSec Handlers Diary Blog - Adobe/Acrobat 0-day in the wild? InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Adobe/Acrobat 0-day in the wild?

Published: 2009-02-20
Last Updated: 2009-02-23 03:03:09 UTC
by Joel Esler (Version: 7)
7 comment(s)

According to our friends over at Shadowserver, There is a new Acrobat 0-day in the wild.  They say you can avoid it by turning off Javascript inside of your Adobe Acrobat products. 

Please see Shadowserver's write up: here for more information

UPDATE:  Another great VRT Blog post.  These guys keep pumping them out!  Check it out here.

UPDATE  Shadowserver has released important mitigation information.  You can see that post at the url below.

http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090221

UPDATE:  Sourcefire VRT has published a "homebrew" patch for the vuln.  PLEASE TEST THIS BEFORE DEPLOYING IN ANY ENVIRONMENT!!!  SANS ISC has NOT verified the effectiveness of this "homebrew patch", and as such we cannot make any claims or comments on its effectiveness or any unintended consequences of using this modified software.  As some of you may remember ZERT in the past has done similar, and there are obviously caveats involved with this approach. (both technical and possibly legal) So please do educate your self, and if need be discuss with your legal team before deploying third party modified software into your environment.

Information on patch:

http://vrt-sourcefire.blogspot.com/2009/02/homebrew-patch-for-adobe-acroreader-9.html

Information on ZERT:

http://www.isotf.org/zert/

Disclosure:  Joel works for Sourcefire, but does not work for the VRT.

UPDATE 2:  Based on the comments to this diary entry something needs to be cearly stated. Java has NO relation to this exploit, javascript is utilized by the attackers to massage memory structures to build a more reliable exploit.  Disabling javascript will remove this ability and make a reliable exploit much harder to build.  - Andre L

-- Joel Esler http://www.joelesler.net

-- Andre L

Keywords:
7 comment(s)
Diary Archives