Adobe Acrobat pdf 0-day exploit, No JavaScript needed!

Published: 2009-02-25
Last Updated: 2009-02-25 02:12:33 UTC
by Andre Ludwig (Version: 1)
4 comment(s)

So there is a brief blog post linked below that highlights the fact that the new adobe PDF vulnerability can be exploited without the use of JavaScript.  This is obviously really bad news for anyone who is responsible for protecting environments where PDF's are present.  I think what a lot of people will find is just how prevalent JBIG2 streams are in "run of the mill" PDF files that are floating around their systems.  This means that simply looking for JavaScript + JBig streams in PDF files is not going to do you much good moving forward. 

All of the current observed samples are still utilizing JavaScript; this will NOT be the case moving forward!

Let me repeat again. YOU DO NOT NEED JS TO MAKE THIS EXPLOIT WORK. The JavaScript method employed by these attacks is "tried and true" when it comes to creating the right conditions for a reliable exploit. 

***I have not been able to verify secunia's claim independently at this point in time. (I would love to be able to verify this)

Secunia article
http://secunia.com/blog/44/

Now on to the important part of this post.

14 Days left before the patch is out.

 

4 comment(s)

Comments

14 days!? What are they waiting for? I imagine Foxit Reader is going to gain popularity all of a sudden, and maybe some other non-Adobe PDF readers.
If you read Adobe's announcement, it says, "Adobe expects to make available an update for Adobe Reader 9 and Acrobat 9 by March 11th, 2009." It does not say "on" or "on or after". If there is any prep work you need to do in anticipation of the patch being made available that would speed up your testing and subsequent deployment, do not count on having until the 11th! I would do that right now and get ready. Adobe may very well release before the 11th. The Shadowserver Foundation post that states "The earliest patch will be for Adobe 9 and will not be available under March 11, 2009." is a misinterpretation of what Adobe said.
Adobe can state whatever they want, but their patching/security policies are horrible. The obvious question for them is what about Acrobat v8, v7, v6, and v5 folks? Why take even longer to patch v8 and v7 and completely ignore v6? Is this basically a "screw you" stance towards folks that don't run the absolute latest version of their expensive products? Not to mention the number of even v5 installs out there that came packaged with other software. With Adobe's poor security/patch stance...Joe Average User doesn't stand a chance. DO we need to start regarding Acrobat like Quicktime and just ban it network wide as too great of security risk?
Adobe can state whatever they want, but their patching/security policies are horrible. The obvious question for them is what about Acrobat v8, v7, v6, and v5 folks? Why take even longer to patch v8 and v7 and completely ignore v6? Is this basically a "screw you" stance towards folks that don't run the absolute latest version of their expensive products? Not to mention the number of even v5 installs out there that came packaged with other software. With Adobe's poor security/patch stance...Joe Average User doesn't stand a chance. DO we need to start regarding Acrobat like Quicktime and just ban it network wide as too great of security risk?

Diary Archives