|
Adobe's PSIRT (Product Security Incident Response Team) published a new blog post today [1]. The post reveals that a critical vulnerability, CVE-2009-3459, is now being exploited in the wild in targeted attacks. The vulnerability affects Adobe 9.1.3 on Windows, Unix and OS X. However, the exploits have been limited to Windows so far. An update scheduled to be released on Oct 13th should fix the problem. Until then, Windows users are advised to enable DEP. Anti malware vendors have been informed by Adobe. This vulnerability does not require Javascript. If you disabled Javascript in the past, it will not protect you in this case. Another workaround I found helpful: You can "clean" PDF documents by first converting them into another format (like Postscript) and then back into PDF. However, this is not 100% certain to remove the exploit and you may infect the machine that does the conversion as it will likely still use the vulnerable libraries to convert the document. But the likelyhood of this happening is quite low. [1] http://blogs.adobe.com/psirt/2009/10/adobe_reader_and_acrobat_issue_1.html ------ |
Johannes 4347 Posts ISC Handler Oct 8th 2009 |
| Thread locked Subscribe |
Oct 8th 2009 1 decade ago |
|
Yes, DEP is the answer all right:
https://www.securestate.com/Documents/Bypassing_Hardware_based_Data_Execution_Prevention.pdf "We’ll only talk about Windows 2003 SP2 in this specific paper since each OS, while of course different, is relatively similar. It is significantly easier to bypass DEP in Windows XP SP2 and Windows 2003 SP1 than it is with Windows 2003 SP2..." |
Anonymous |
| Quote |
Oct 8th 2009 1 decade ago |
|
DEP may not be THE answer, but it helps. Just because it can be bypassed doesn't mean that it is useless in every case.
|
Johannes 4347 Posts ISC Handler |
| Quote |
Oct 8th 2009 1 decade ago |
|
clarification on DEP. According to Adobe, DEP will only help you in Vista here.
|
Johannes 4347 Posts ISC Handler |
| Quote |
Oct 8th 2009 1 decade ago |
|
It probably wouldn't make much difference anyway. Supposedly Firefox 3.5's ability to warn people of old Flash software caused some ten million Flash updates. There's probably a similar amount of old Adobe Reader versions installed and Vista isn't widely used in corporations where the risk of spear phishing is large.
|
Anonymous |
| Quote |
Oct 9th 2009 1 decade ago |
|
Is the PoC avail...how are these classified as targeted attacks? Last I saw the 0day was confirmed yet not seen being exploited in the wild. Any further info would help!
|
Anonymous |
| Quote |
Oct 9th 2009 1 decade ago |
|
Sec_Jay - At least one of the entities being targeted does not wish to disclose its identity
|
Anonymous |
| Quote |
Oct 9th 2009 1 decade ago |
|
Could you please use "Adobe Reader and Acrobat" next time in stead of just "Adobe".
I use many Adobe products but Reader and Acrobat are not among them.. |
Anonymous |
| Quote |
Oct 9th 2009 1 decade ago |
|
@n3kt0n Understood that the agency affected would like to remain anonymous however ISC is the only place where I heard about "targeted" attacks taking place so I wasn't sure what evidence they had to back that statement.
|
Anonymous |
| Quote |
Oct 9th 2009 1 decade ago |
|
@n3kt0n Understood that the agency affected would like to remain anonymous however ISC is the only place where I heard about "targeted" attacks taking place so I wasn't sure what evidence they had to back that statement.
|
Anonymous |
| Quote |
Oct 9th 2009 1 decade ago |
|
@n3kt0n Understood that the agency affected would like to remain anonymous however ISC is the only place where I heard about "targeted" attacks taking place so I wasn't sure what evidence they had to back that statement.
|
Anonymous |
| Quote |
Oct 9th 2009 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
