Adobe Acrobat/Reader 0-day in Wild, Adobe Issues Advisory

Published: 2010-09-08. Last Updated: 2010-09-08 18:03:06 UTC
by John Bambenek (Version: 1)
18 comment(s)

We just received word that there is a report of a 0-day exploit for Adobe Acrobat/Reader being exploited in the wild. Secunia has a brief write up and here is the link to the original advisory.  The exploit was discovered in a phishing attempt with the subject of "David Leadbetter's One Point Lesson".  Adobe has issued an advisory and references CVE-2010-2883 (which just shows as reserved at this point with no details).  It does effect the latest version of Acrobat/Reader and Adobe is investigation a patch. More to come on that.

The exploit in the wild I'm aware of causes a crash in Acrobat/Reader and then tries to open a decoy file.  So the good news is that, as of right now, it's a "loud exploit".  Early VirusTotal scans also had partial coverage under various forms of "Suspicious PDF" categories.  At this point, standard precautions apply (don't open PDFs from strangers) and this can probably only really be used in a phishing style scenario.  Will update this dairy as needed with developments.

--
John Bambenek
bambenek at gmail /dot/ com

Keywords: adobe CVE20102883 reader vulnerability
18 comment(s)

Comments

Adobe is killing us! Secure Document Format (SDF) please!!! (I think I read something about that recently.)

John

Sep 8th 2010
1 decade ago

John wrote "Secure Document Format (SDF) please!!!"

Should that not be Secure Portable Document Format (SPDF)? Security is paramount but don't forget the platform/device independency.

Chris

Sep 8th 2010
1 decade ago

Seriously. This is getting ridiculous. Maybe they could hurry up on that sandboxing at least.

Rob

Sep 8th 2010
1 decade ago

Does anyone know if FoxIt is more secure? (I guess, how could it be worse than Adobe Reader at this point?) I've made the switch on my personal PC, and I'm thinking of switching my clients as well.

BrundleFly

Sep 9th 2010
1 decade ago

I'm not sure Foxit is more secure but there is less bloat in it and I agree how could it be less secure.
I switched my users to it without issue.

pwobbe

Sep 9th 2010
1 decade ago

As with many or all of the recent Adobe PDF hacks, you can stop this one by disabling JavaScript within Reader/Acrobat.

The Metasploit blog has an excellent technical write-up today: http://blog.metasploit.com/2010/09/return-of-unpublished-adobe.html

Andrew from Vancouver

Sep 9th 2010
1 decade ago

Receiving active infection at a rate of 1 every 5 seconds.
Subject: Here you have
Body:
Hello:
This is The Document I told you about,you can find it
Here.http: / / www . share d ocuments . com / library / PDF_Document21 . 025542010 . pdf
Please check it and reply as soon as possible.
Cheers,


(Not the the domain name has only one D in it.)

SB

SB

Sep 9th 2010
1 decade ago

Update: the real link (:-S) is:

http: // members . multimania . co . uk / yahoophoto / PDF_Document21_025542010_pdf . scr

SB

SB

Sep 9th 2010
1 decade ago

Since some of the most well known virus companies are not detecting the scr file according to virus totals, can anyone say what the file does if anything at this point?? We got blasted about 2 hrs ago. I have one machine offline until I can tell what it does.

JJ

Sep 9th 2010
1 decade ago

We got hit with this an hour ago and it spread like wildfire. It seems to spam all exchange distribution lists with the original e-mail. It was sending to every one of our distribution lists. The exchange server is halted now until we can contain this.

DT

Sep 9th 2010
1 decade ago

Login here to join the discussion.


Top of page
Diary Archives