PDF Exploits

I usually don’t do this, but since not all the information seems to be in a single spot I’m compiling a bit.

Adobe released the following:
http://www.adobe.com/support/security/advisories/apsa09-01.html

A critical vulnerability has been identified in Adobe Reader 9 and Acrobat 9 and earlier versions. This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system. There are reports that this issue is being exploited.

Adobe is planning to release updates to Adobe Reader and Acrobat to resolve the relevant security issue. Adobe expects to make available an update for Adobe Reader 9 and Acrobat 9 by March 11th, 2009. Updates for Adobe Reader 8 and Acrobat 8 will follow soon after, with Adobe Reader 7 and Acrobat 7 updates to follow. In the meantime, Adobe is in contact with anti-virus vendors, including McAfee and Symantec, on this issue in order to ensure the security of our mutual customers. A security bulletin will be published on http://www.adobe.com/support/security as soon as product updates are available.

All documented security vulnerabilities and their solutions are distributed through the Adobe security notification service. You can sign up for the service at the following URL: http://www.adobe.com/cfusion/entitlement/index.cfm?e=szalert

It affects all versions of Adobe’s Acrobat (Pro, Standard, and Reader) version 9, 8, 7, and potentially 6/5. Currently the exploit uses JavaScript to call on memory that hasn’t been allocated properly and causes exceptions and an application failure. So, at a minimum, this exploit will crash out your Adobe Acrobat. At a maximum, it can open up your entire system to “bad things”. The exploit in the wild, as of right now, only uses javascript. Therefore, one can simply follow these steps:

Open Adobe Acrobat Reader (version 8 or 9)
Click Edit >> Preferences
Scroll down to JavaScript and uncheck Enable Acrobat JavaScript
Click OK

Or if you would prefer to use registry keys (and if you’re like me and use GPO’s to deploy the registry key imports at startup) here they are:

Add the key HKCU\software\adobe\acrobat reader\x.0\JSPrefs
Add a DWORD "bEnableJS", set value to 0
also make sure you look in HKCU\software\adobe\adobe acrobat\.. as well. The same thing applies to all versions.

It should be noted that JavaScript is merely used as the compiling tool in this case. Without JS enabled, the exploit STILL EXISTS, it’ll just be harder (in theory) to write for.

Leave a Reply

Your email address will not be published. Required fields are marked *