Milton Security Group Logo
Milton on Facebook    Milton on Twitter    Milton on LinkedIn
Login  |  Blog

ShieldTech Flash - Adobe 0-day vulnerability


Wednesday, December 16, 2009: Adobe recently released a security advisory on a 0-day vulnerability for Adobe Reader and Acrobat.

http://www.adobe.com/support/security/bulletins/apsb10-02.html

The engineers at Milton Security Group have confirmed that this exploit is in the wild by purposely downloading it from multiple web sites around the globe. The vulnerability is actively being exploited to attack systems. The number and type of attacks are probably low at the moment, but will certainly increase over the next 2 weeks as a planned fix from Adobe is targeted for Jan 12, 2010.

The bad news is the heart of the vulnerability is within the JavaScript Framework in Adobe Acrobat and Reader. The actual vulnerable code is obfuscated within a stream making detection quite difficult to say the least. In addition:

  • There currently is no patch or update available that completely protects against this exploit.

  • There is little to no detection of these malicious PDF files from most of the major Antivirus vendors. Now for the good news - there is a way to mitigate this problem today:

  • Host based: DISABLE JAVASCRIPT IN ADOBE -Launch Adobe Acrobat (or Reader) and click Edit -> Preferences -> JavaScript -Uncheck Enable Acrobat JavaScript

  • Network Based: VISIBILITY & CONTROL WITH MSG 7200 OR EDGEWALL 7000

    Milton Security Group's Threat Detection team - MSGLabs - has identified three ways to identify or block this threat.

    1. Threat Filter: download a newly created Threat Filter and easily apply it to all existing Access Policies. This action would stop an already infected machine communicating out to known Command and Control hosts (as of Dec 16 at 13:00 Pacific).

    2. Policy Scan - Adobe: download an updated policy scan for your managed systems below an MSG7200 or EdgeWall 7000 unit that checks to see if JavaScript is disabled within Adobe Acrobat.

    3. Policy Scan - DEP: download an updated policy scan for your managed systems below an MSG7200 or EdgeWall 7000 unit that checks to see if DEP (Data Execution Prevention) is enabled.
    As of this morning, only McAfee, NOD32 and Kaspersky detect and block this flaw to some varying degrees of success. Symantec has not updated as of 8am Dec 16, 2009.

    For further details on how you can keep this vulnerability from being exploited on your network, contact Milton Security Support Group at support@miltonsecurity.com.