Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Adobe 0-day in the wild - again

Published: 2009-12-15
Last Updated: 2009-12-16 20:15:36 UTC
by Johannes Ullrich (Version: 3)
10 comment(s)

Update2:  : It looks like Adobe will not be releasing an update to resolve this issue until Jan 12!  Find their full advisory with the release date here ==> http://www.adobe.com/support/security/advisories/apsa09-07.html

Handler on Duty: Rob VandenBrink

------------------------------------------------

Update1:  One of the samples that we had access shows the following behavior that could help you to identify infections in your network/system:

The exploit has the executable included: AdobeUpdate.exe - Size 9.356k (hash 069175846447506b3811632535395bc3 ).

This executable will download another file called ab.exe (and save it as winver32.exe on C:windows folder). You may also check your logs for the website hxxp://foruminspace.com . This file is hosted there.

The current sample has the following specs: Size 386,016k and hash 686738eb5bb8027c524303751117e8a9 .

-------------------------------------------------

Handler on Duty: Pedro Bueno (pbueno //&&// isc. sans. org)

Twitter: twitter.com/besecure

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------

It's not ground hog day, but it surely feels like it. The Shadowserver Foundation [1] is reporting about spotting another Adobe 0-day in the wild

Adobe acknowledged the issue in a PSIRT post [2].

The quick summary: The is currently no patch available and commonly used anti-virus products appear to be mostly missing it. The bug requires JavaScript. Turning off JavaScript support appears to be your best defense. I could recommend that you don't open any malicious PDFs. But it would probably be as useful to go and hide in a cave until all Adobe bugs got fixed.

Please let us know if you find any malicious PDFs like this, and let the Adobe PSIRT know as well.

[1] http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20091214

[2] http://blogs.adobe.com/psirt/2009/12/new_adobe_reader_and_acrobat_v.html

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: 0day adobe pdf
10 comment(s)
Join us at SANS! Attend Intrusion Detection In-Depth with Johannes Ullrich in Online | US Eastern starting Apr 26 2021
Top of page
Diary Archives