My next class:

New Adobe Vulnerability Exploited in Targeted Attacks

Published: 2009-10-08. Last Updated: 2009-10-08 20:09:19 UTC
by Johannes Ullrich (Version: 1)
10 comment(s)

Adobe's PSIRT (Product Security Incident Response Team) published a new blog post today [1]. The post reveals that a critical vulnerability, CVE-2009-3459, is now being exploited in the wild in targeted attacks. The vulnerability affects Adobe 9.1.3 on Windows, Unix and OS X. However, the exploits have been limited to Windows so far.

An update scheduled to be released on Oct 13th should fix the problem. Until then, Windows users are advised to enable DEP. Anti malware vendors have been informed by Adobe.

This vulnerability does not require Javascript. If you disabled Javascript in the past, it will not protect you in this case. Another workaround I found helpful: You can "clean" PDF documents by first converting them into another format (like Postscript) and then back into PDF. However, this is not 100% certain to remove the exploit and you may infect the machine that does the conversion as it will likely still use the vulnerable libraries to convert the document. But the likelyhood of this happening is quite low.

[1] http://blogs.adobe.com/psirt/2009/10/adobe_reader_and_acrobat_issue_1.html

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: adobe vulnerability
10 comment(s)
My next class:

Comments

Yes, DEP is the answer all right:

https://www.securestate.com/Documents/Bypassing_Hardware_based_Data_Execution_Prevention.pdf

"We’ll only talk about Windows 2003 SP2 in this specific paper since each OS, while of course different, is relatively similar. It is significantly easier to bypass DEP in Windows XP SP2 and Windows 2003 SP1 than it is with Windows 2003 SP2..."
DEP may not be THE answer, but it helps. Just because it can be bypassed doesn't mean that it is useless in every case.
clarification on DEP. According to Adobe, DEP will only help you in Vista here.
It probably wouldn't make much difference anyway. Supposedly Firefox 3.5's ability to warn people of old Flash software caused some ten million Flash updates. There's probably a similar amount of old Adobe Reader versions installed and Vista isn't widely used in corporations where the risk of spear phishing is large.
Is the PoC avail...how are these classified as targeted attacks? Last I saw the 0day was confirmed yet not seen being exploited in the wild. Any further info would help!
Sec_Jay - At least one of the entities being targeted does not wish to disclose its identity
Could you please use "Adobe Reader and Acrobat" next time in stead of just "Adobe".
I use many Adobe products but Reader and Acrobat are not among them..
@n3kt0n Understood that the agency affected would like to remain anonymous however ISC is the only place where I heard about "targeted" attacks taking place so I wasn't sure what evidence they had to back that statement.
@n3kt0n Understood that the agency affected would like to remain anonymous however ISC is the only place where I heard about "targeted" attacks taking place so I wasn't sure what evidence they had to back that statement.
@n3kt0n Understood that the agency affected would like to remain anonymous however ISC is the only place where I heard about "targeted" attacks taking place so I wasn't sure what evidence they had to back that statement.

Diary Archives