Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

New PDF exploit discovered; IT admins continue to be negligent.

6 views
Skip to first unread message

Virus Guy

unread,
Apr 30, 2009, 8:35:22 AM4/30/09
to
http://laws.qualys.com/

New Adobe 0-Day Vulnerability - But Does It Matter ?

For the 2nd time in 2009 Adobe has to deal with a 0-day announcement.
Securityfocus BID 34736 has the exploit code, which should be
straightforward for attackers to incorporate into their existing
"outreach" mechanisms. Once again the JavaScript implementation in Adobe
Reader is the culprit and Adobe officially recommends turning off
JavaScript as a work-around, until a patch becomes available. While I
expect that attacks will focus on the Windows platform, the
vulnerability is truly cross-platform and affects Windows, Macs and
Linux.

File format vulnerabilities of this kind represent a significant attack
vector, but they continue to be neglected by IT administrators. Our
ongoing analysis of the previous Adobe vulnerability APSA09-01 (released
February 2009, patch available on March 10 as shown by the red line in
the graph) shows no significant reduction in the number of exploitable
machines.

If this trend continues to persist for the Adobe Reader vulnerabilities,
which it has in all 2008 and as demonstrated in Laws 2.0, attackers
don't need to rush anymore, they can take their time in figuring out the
best way to get an infected PDF file into their victims.

-----------------------------------

Example exploit code:

http://downloads.securityfocus.com/vulnerabilities/exploits/34736.txt

I've seen no .pdf POC posted yet on milworm.

Again, I have my doubts that the combination of Win-98 / Acrobat 6 are
vulnerable (they haven't been for other pdf exploits discovered during
the past year or so).

I believe that Mac's are also listed as vulnerable to this.

See also:

http://www.us-cert.gov/current/#adobe_reader_javascript_function_vulnerability

The only logical course of action going forward is to simply completely
remove your browser's .pdf file handling settings, or at the very least
set them to "save to disk".

VanguardLH

unread,
Apr 30, 2009, 7:08:39 PM4/30/09
to
Virus Guy wrote:

> http://laws.qualys.com/
>
> New Adobe 0-Day Vulnerability - But Does It Matter ?
>
> For the 2nd time in 2009 Adobe has to deal with a 0-day announcement.
> Securityfocus BID 34736 has the exploit code, which should be
> straightforward for attackers to incorporate into their existing
> "outreach" mechanisms. Once again the JavaScript implementation in Adobe
> Reader is the culprit and Adobe officially recommends turning off
> JavaScript as a work-around, until a patch becomes available.

<snip>

So how many times do users have to get warned or burned before they
start to actually learn to disable the Javascript function in Adobe
Reader?

While a web page can indicate that Javascript must be enabled (by using
the <NOSCRIPT> tag which runs the code only when scripting is disabled
or not supported by the web browser) to use that web page which can then
have the user make the decision to enable it or not, I don't know that
Adobe Reader has a means to alert the user that Javascript must be
enabled within it to properly render the .pdf file that it loaded. If
it did, Adobe should default to Javascript disabled and let the user
decide via prompt whether to enable it whenever they open a .pdf file
that wants to use Javascript. The users might find it could be years or
decades before they found a .pdf file that wanted to use Javascript or a
.pdf file that they would trust to use Javascript.

It would be preferred that Adobe default to disabling Javascript in
their Reader program but provide a prompt that alerts the user if and
when they happen to load a .pdf file that wants to use it. Currently it
is the users that must remember to disable Javascript after installing
Adobe Reader.

Elboras

unread,
May 2, 2009, 7:05:28 PM5/2/09
to
VanguardLH a �crit :

I remembered that some people said with the last exploit (not this one)
that there were ways to exploit it without Javascript ...

Javascript is just a great help to exploit the heap overflow with heap
spraying.

David H. Lipman

unread,
May 2, 2009, 9:53:10 PM5/2/09
to
From: "Elboras" <Elboras~no~spam~@gmail.com>

| I remembered that some people said with the last exploit (not this one)
| that there were ways to exploit it without Javascript ...

| Javascript is just a great help to exploit the heap overflow with heap
| spraying.

That was the PDF JBIG2 exploit. There was no JavaScript dependency in that.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


0 new messages