Guard Against Sandbox-Bypassing Adobe Reader Zero-Day
News of the ‘unknown’ and underground zero-day in Adobe Reader is all over the place. Because of its supposed noteworthy features, including the capability to defeat Adobe’s sandbox feature, users are alarmed – and rightfully so. But the situation is not without hope.
With this entry, my aim is to explain to our customers what this exploit means to them and what protective measures can be implemented.
There is news that this bug is being exploited in specific targeted attacks. There is also news that it will soon be incorporated in the notorious BlackHole Exploit Kit. Once it gets added, there is a chance of widespread exploitation via the exploit kit.
It is definitely time to take action and observe due diligence. Given that the details of the vulnerability are not available, we suggest users to follow these security measures:
- Educate employees to refrain from opening documents received from unknown or unverified sources.
- Consider using alternative .PDF software readers such as Foxit or the built-in reader in Google Chrome. Currently, Adobe is investigating this issue. But until Adobe comes up with a concrete solution or alternative fix, it might be best to steer clear of Adobe Reader for the meantime.
We at Trend Micro Deep Security have, over time, developed several heuristics-based rules for generic detection of attack delivery via .PDF documents. As mitigation, Trend Micro customers using Deep Security and OfficeScan users using the Intrusion Defense Firewall should assign the following rules to their endpoints.
- 1004133 – Heuristic Detection Of Malicious PDF Documents
- 1004593 – Heuristic Detection Of Malicious PDF Documents – 2
- 1004085 – Heuristic Detection Of Malicious PDF Documents – 3
- 1004579 – Heuristic Detection Of Malicious PDF Documents 3
- 1004652 – Identified Suspicious PDF Document
- 1004081 – Restrict PDF Documents With Embedded Executable Files
These rules have provided protection against past zero-day exploits that we have collected overtime. However, these should not be considered foolproof “cure-alls” to zero-day exploits including this one. Timely rule implementation and user education are still key in safeguarding systems against threats – zero-day or not.
We are currently monitoring this threat and we”ll give updates of any noteworthy developments.