Adobe 0-day in the wild - again
Update2: : It looks like Adobe will not be releasing an update to resolve this issue until Jan 12! Find their full advisory with the release date here ==> http://www.adobe.com/support/security/advisories/apsa09-07.html
Handler on Duty: Rob VandenBrink
------------------------------------------------
Update1: One of the samples that we had access shows the following behavior that could help you to identify infections in your network/system:
The exploit has the executable included: AdobeUpdate.exe - Size 9.356k (hash 069175846447506b3811632535395bc3 ).
This executable will download another file called ab.exe (and save it as winver32.exe on C:windows folder). You may also check your logs for the website hxxp://foruminspace.com . This file is hosted there.
The current sample has the following specs: Size 386,016k and hash 686738eb5bb8027c524303751117e8a9 .
-------------------------------------------------
Handler on Duty: Pedro Bueno (pbueno //&&// isc. sans. org)
Twitter: twitter.com/besecure
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
It's not ground hog day, but it surely feels like it. The Shadowserver Foundation [1] is reporting about spotting another Adobe 0-day in the wild
Adobe acknowledged the issue in a PSIRT post [2].
The quick summary: The is currently no patch available and commonly used anti-virus products appear to be mostly missing it. The bug requires JavaScript. Turning off JavaScript support appears to be your best defense. I could recommend that you don't open any malicious PDFs. But it would probably be as useful to go and hide in a cave until all Adobe bugs got fixed.
Please let us know if you find any malicious PDFs like this, and let the Adobe PSIRT know as well.
[1] http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20091214
[2] http://blogs.adobe.com/psirt/2009/12/new_adobe_reader_and_acrobat_v.html
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter