Zero-day exploit attack alerts on versions of Adobe Acrobat seem to occur so often, people viewing this article might wonder: is this for October 2009, July 2009, or one of the many others from the last two years. Yes, this is yet another one, announced 8 October 2009. BotNet operators are certainly updating their attack code on already infected computers so they can infect any resident PDF documents that might be sent to others. They are placing spiked PDF documents on legitimate websites already compromised. In short, if the only thing standing between you and a nasty PDF is your anti-virus/spyware software, game over!

Disabling JavaScript Does Not Prevent These Adobe Acrobat Zero-Day Exploit Attacks

Unlike the Adobe Acrobat exploit attacks that surged in summer 2009, this month’s exploits cannot be thwarted by disabling Javascript. And unlike some other Acrobat exploit attacks, these new ones affect every version of Acrobat that ever existed (listed below).  Even converting PDF documents to some other format and back to PDF does not guarantee safety.

Adobe is expected to release a patch on 13 October 2009. Given the visibility they can expect, there’s a good chance this patch won’t cause any unforeseen problems. Still, if Adobe is rushing, as I expect they are, I’d wait and see how others fare with this emergency patch.

Acrobat Reader Alternatives

There are alternatives to Acrobat Reader. I don’t know if any of them are affected. If you choose that route, make certain that when somebody double-clicks on a PDF in Windows Explorer, or when a web browser or something else launches a PDF, that Acrobat Reader does NOT launch.  The easiest precaution is to uninstall Adobe Acrobat.

Your AntiVirus/Spyware Will NOT Protect Your Computer(s)

I’ve writen many posts on this subject. To recap, with the automated tools in the hands of cyber criminals today, it takes them seconds to create a tainted PDF that your anti-virus/spyware software would not recognize as malware. The anti-virus/spyware vendors on the other hand, must discover each of these PDFs, generate a signature, and distribute them to all customer computers. But wait, the cyber criminals will continue to employ the malware best practice of discontinuing use of each PDF after 48 hours or less. This reduces the odds dramatically of the vendors stumbling upon a particular PDF so that a signature can be generated and distributed.

So, if you receive a PDF from someone you know, and if you open it without non-signature-based protection, then you are implicitly trusted that the person that apparently sent it to you did so, and that his/her computer is NOT already infested without the knowledge of that person you know.

A person that ignores my advice that opens a PDF from a friend, or from a legitimate website, probably will NOT notice anything.  Some executable from who knows where will be downloaded onto their computer and launched without asking or indicating anything.  This is called a drive-by download attack.  This executable will almost certainly be temporary from the perspective of the cyber criminals responsible for it.  It exists to assess the computer it landed upon, determine what is the most advantageous thing to do to and with the computer, and then do so.  If the user is logged in with a limited user account (LUA), or without local admin rights, that temporary executable may download and launch another applet that conducts a privilege escalation attack so as to be able to install software deep into the core of the operating system, making it practically invisible to detection tools.  Again, the vast majority of people that read these PDF documents will not notice a thing wrong.  They may however, discover weeks or months later, something horrible in the real world that is ultimately traced back to their computer.

What Can You Do, PDFs Must Be Read, But Safely

Consumers should get software like AppGuard, which places Adobe Acrobat under guard and snuff’s out drive-by download attacks sprung loose by this Acrobat exploit.  Organizations should consider something like AppGuard Enterprise or AppGuard Enterprise Plus.

A Different, Better Approach to Zero Day Attack Computer Protection

These security software solutions take a different approach to computer protection than that of anti-virus/spyware products that rely on virus signatures.  They place the applications under guard that process the incoming and potentially malicious content, instead of picking out the good from the bad out of a nearly infinite variety.  However, we steered away from protection that depends on knowing good behavior from bad behavior by those guarded applications, to a deterministic approach.

We focus on preventing the guarded applications from doing harm by blocking write operations to critical PC resources.  Secondly, all those endpoint places where users have write access, we prevent unknown/unauthorized executables from launching at all.  We call this user-space, and one can consider USB as such. Guarded apps can launch from user-space (typically 2 to 4 applications from user-space are listed), this amounts to user-space whitelisting, which is considerably less effort to implement than total whitelisting.  With the at-risk applications and unknown user-space executable launches precluded from writing into ‘Program Files’ and ‘Windows’ directories, total whitelisting is far, far less of a value-add, and that’s where the bulk of the total whitelisting implementation pain lies.

Related Articles

SANS: Client-Side Software Vulnerabilities Are Highest Priority But Most Neglected Risk

Never Ending Vulnerabilities for Web Browsers (the new class of attacks discussed here, applies to Adobe products too)

Disable Non-Microsoft/Apple Software Auto Update Features

Widespread Attacks Underway, Disable Adobe Flash or Install Protection Software (Summer 2009)

Business Protection from AntiVirus-Failure Caused Fraudulent Bank Transfer Losses

Is a PC Using a Limited User Account (LUA) Safe from Drive-by Download Attacks?

Why Should UnPatched PC Software Concern You?

Websites Unknowingly Attacking PCs

Cybercriminals Robbing Social Network Users

Todays Spear Phishing Attacks Can Wipe Out Small Businesses in One Click

Affected Versions of Adobe Acrobat

Adobe Acrobat Standard 9.1.3; Adobe Acrobat Standard 9.1.2; Adobe Acrobat Standard 8.1.6; Adobe Acrobat Standard 8.1.4; Adobe Acrobat Standard 8.1.3; Adobe Acrobat Standard 8.1.2; Adobe Acrobat Standard 8.1.1; Adobe Acrobat Standard 7.1.3; Adobe Acrobat Standard 7.1.1; Adobe Acrobat Standard 7.0.8; Adobe Acrobat Standard 7.0.7; Adobe Acrobat Standard 7.0.6; Adobe Acrobat Standard 7.0.5; Adobe Acrobat Standard 7.0.4; Adobe Acrobat Standard 7.0.3; Adobe Acrobat Standard 7.0.2; Adobe Acrobat Standard 7.0.1; Adobe Acrobat Standard 7.0; Adobe Acrobat Standard 9.1; Adobe Acrobat Standard 9; Adobe Acrobat Standard 8.1; Adobe Acrobat Standard 8.0; Adobe Acrobat Standard 7.1; Adobe Acrobat Reader 9.1.3; Adobe Acrobat Reader 9.1.2; Adobe Acrobat Reader 8.1.5; Adobe Acrobat Reader 8.1.4; Adobe Acrobat Reader 8.1.3; Adobe Acrobat Reader 8.1.2; Adobe Acrobat Reader 8.1.1; Adobe Acrobat Reader 7.1.2; Adobe Acrobat Reader 7.1.1; Adobe Acrobat Reader 7.0.9; Adobe Acrobat Reader 7.0.9; Adobe Acrobat Reader 7.0.8; Adobe Acrobat Reader 7.0.8; Adobe Acrobat Reader 7.0.7; Adobe Acrobat Reader 7.0.6; Adobe Acrobat Reader 7.0.5; Adobe Acrobat Reader 7.0.4; Adobe Acrobat Reader 7.0.3; Adobe Acrobat Reader 7.0.2; Adobe Acrobat Reader 7.0.1; Adobe Acrobat Reader 7.0; Adobe Acrobat Reader 8.1.2; Adobe Acrobat Reader 8.1; Adobe Acrobat Reader 8.0; Adobe Acrobat Reader 7.1; Adobe Acrobat Professional 9.1.3; Adobe Acrobat Professional 9.1.2; Adobe Acrobat Professional 8.1.6; Adobe Acrobat Professional 8.1.4; Adobe Acrobat Professional 8.1.3; Adobe Acrobat Professional 8.1.2; Adobe Acrobat Professional 8.1.1; Adobe Acrobat Professional 7.1.3; Adobe Acrobat Professional 7.1.1; Adobe Acrobat Professional 7.0.9; Adobe Acrobat Professional 7.0.8; Adobe Acrobat Professional 7.0.7; Adobe Acrobat Professional 7.0.6; Adobe Acrobat Professional 7.0.5; Adobe Acrobat Professional 7.0.4; Adobe Acrobat Professional 7.0.3; Adobe Acrobat Professional 7.0.2; Adobe Acrobat Professional 7.0.1; Adobe Acrobat Professional 7.0; Adobe Acrobat Professional 9.1; Adobe Acrobat Professional 9; Adobe Acrobat Professional 8.1.2; Adobe Acrobat Professional 8.1; Adobe Acrobat Professional 8.0; Adobe Acrobat Professional 7.1; Adobe Acrobat 9.1.1; Adobe Acrobat 7.0.3; Adobe Acrobat 7.0.2; Adobe Acrobat 7.0.1; Adobe Acrobat 7.0

Posted: Thursday, October 8th, 2009 - Endpoint Security
RSS 2.0 - Comment - Trackback