Guard Against Sandbox-Bypassing Adobe Reader Zero-Day

News of the ‘unknown’ and underground zero-day in Adobe Reader is all over the place. Because of its supposed noteworthy features, including the capability to defeat Adobe’s sandbox feature, users are alarmed – and rightfully so. But the situation is not without hope.

With this entry, my aim is to explain to our customers what this exploit means to them and what protective measures can be implemented.

Let us understand the threat situation first. How serious is it? There are claims of a zero-day exploit affecting versions 10 and 11 of Adobe Reader and is reportedly being sold in the underground for USD 30,000 – 50,000. Why so much money? This zero-day bypasses the sandbox protection technology that Adobe introduced in Reader ver. 10. It executes even if JavaScript is disabled in the software. The only interaction it requires is for a user to open a .PDF document and the bug triggers when the browser is closed.

There is news that this bug is being exploited in specific targeted attacks. There is also news that it will soon be incorporated in the notorious BlackHole Exploit Kit. Once it gets added, there is a chance of widespread exploitation via the exploit kit.

It is definitely time to take action and observe due diligence. Given that the details of the vulnerability are not available, we suggest users to follow these security measures:

  • Educate employees to refrain from opening documents received from unknown or unverified sources.
  • Consider using alternative .PDF software readers such as Foxit or the built-in reader in Google Chrome. Currently, Adobe is investigating this issue. But until Adobe comes up with a concrete solution or alternative fix, it might be best to steer clear of Adobe Reader for the meantime.

We at Trend Micro Deep Security have, over time, developed several heuristics-based rules for generic detection of attack delivery via .PDF documents. As mitigation, Trend Micro customers using Deep Security and OfficeScan users using the Intrusion Defense Firewall should assign the following rules to their endpoints.

  • 1004133 – Heuristic Detection Of Malicious PDF Documents
  • 1004593 – Heuristic Detection Of Malicious PDF Documents – 2
  • 1004085 – Heuristic Detection Of Malicious PDF Documents – 3
  • 1004579 – Heuristic Detection Of Malicious PDF Documents 3
  • 1004652 – Identified Suspicious PDF Document
  • 1003503 – Suspicious PDF File With Embeded Obfuscated Javascript
  • 1004081 – Restrict PDF Documents With Embedded Executable Files

These rules have provided protection against past zero-day exploits that we have collected overtime. However, these should not be considered foolproof “cure-alls” to zero-day exploits including this one. Timely rule implementation and user education are still key in safeguarding systems against threats – zero-day or not.

We are currently monitoring this threat and we”ll give updates of any noteworthy developments.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Guard Against Sandbox-Bypassing Adobe Reader Zero-Day

Read more: Guard Against Sandbox-Bypassing Adobe Reader Zero-Day

Story added 14. November 2012, content source with full text you can find at link above.