Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: New Adobe Vulnerability Exploited in Targeted Attacks SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
New Adobe Vulnerability Exploited in Targeted Attacks

Adobe's PSIRT (Product Security Incident Response Team) published a new blog post today [1]. The post reveals that a critical vulnerability, CVE-2009-3459, is now being exploited in the wild in targeted attacks. The vulnerability affects Adobe 9.1.3 on Windows, Unix and OS X. However, the exploits have been limited to Windows so far.

An update scheduled to be released on Oct 13th should fix the problem. Until then, Windows users are advised to enable DEP. Anti malware vendors have been informed by Adobe.

This vulnerability does not require Javascript. If you disabled Javascript in the past, it will not protect you in this case. Another workaround I found helpful: You can "clean" PDF documents by first converting them into another format (like Postscript) and then back into PDF. However, this is not 100% certain to remove the exploit and you may infect the machine that does the conversion as it will likely still use the vulnerable libraries to convert the document. But the likelyhood of this happening is quite low.

[1] http://blogs.adobe.com/psirt/2009/10/adobe_reader_and_acrobat_issue_1.html

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Defending Web Applications Security Essentials - SANS San Francisco Spring 2020

Johannes

3698 Posts
ISC Handler
Yes, DEP is the answer all right:

https://www.securestate.com/Documents/Bypassing_Hardware_based_Data_Execution_Prevention.pdf

"We’ll only talk about Windows 2003 SP2 in this specific paper since each OS, while of course different, is relatively similar. It is significantly easier to bypass DEP in Windows XP SP2 and Windows 2003 SP1 than it is with Windows 2003 SP2..."
Anonymous
DEP may not be THE answer, but it helps. Just because it can be bypassed doesn't mean that it is useless in every case.
Johannes

3698 Posts
ISC Handler
clarification on DEP. According to Adobe, DEP will only help you in Vista here.
Johannes

3698 Posts
ISC Handler
It probably wouldn't make much difference anyway. Supposedly Firefox 3.5's ability to warn people of old Flash software caused some ten million Flash updates. There's probably a similar amount of old Adobe Reader versions installed and Vista isn't widely used in corporations where the risk of spear phishing is large.
Anonymous
Is the PoC avail...how are these classified as targeted attacks? Last I saw the 0day was confirmed yet not seen being exploited in the wild. Any further info would help!
Anonymous
Sec_Jay - At least one of the entities being targeted does not wish to disclose its identity
Anonymous
Could you please use "Adobe Reader and Acrobat" next time in stead of just "Adobe".
I use many Adobe products but Reader and Acrobat are not among them..
Anonymous
@n3kt0n Understood that the agency affected would like to remain anonymous however ISC is the only place where I heard about "targeted" attacks taking place so I wasn't sure what evidence they had to back that statement.
Anonymous
@n3kt0n Understood that the agency affected would like to remain anonymous however ISC is the only place where I heard about "targeted" attacks taking place so I wasn't sure what evidence they had to back that statement.
Anonymous
@n3kt0n Understood that the agency affected would like to remain anonymous however ISC is the only place where I heard about "targeted" attacks taking place so I wasn't sure what evidence they had to back that statement.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!