Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Clearing some things up about Adobe

Published: 2010-01-15
Last Updated: 2010-01-15 20:10:11 UTC
by Kevin Liston (Version: 1)
2 comment(s)

The word “Adobe” conjures up a number of meanings here.  When we get an email that mentions just “Adobe,” we fill in the blank with one of the following:

  • Adobe the Company
  • Adobe Acrobat
  • Adobe Acrobat Reader
  • Etc.

This invariably leads to confusion.

A similar confusion exists surrounding the recently reported Google incident ( especially when Adobe released a similarly worded announcement:
This led some folks (including me) to the conjecture that the attack involved the use of a malicious PDF file.  I’ve seen examples where this group used malicious PDFs, but nobody provided an example of the PDF file used in THIS attack.  Adobe’s (the company) ASSET security team released additional details yesterday ( where they assert that Adobe Acrobat Reader was not involved in the incident, that instead it was an IE vulnerability detailed here:

So, to recap: Adobe (the company) was attacked, but it wasn’t by leveraging an Adobe product.

So let’s look instead at how their products ARE being used to compromise systems…

The folks over at FireEye have a nice blog entry on PDF malware obfuscation and how it’s being used by the Neosploit exploit kit to distribute Mebroot:

Fortunately CVE-2009-4324 has been patched.

A little unsolicited feature request from Adobe for Acrobat Reader: take a gander at that little no-script add-on to Firefox.  I understand that when I download an interactive PDF-form that it’s going to need some javascript to run.  I just want to have an opportunity to click “no” when I get an unexpected PDF while browsing blogs.

Kevin Liston

Keywords: PDF
2 comment(s)
Diary Archives