Alert: Buffer Overflow Issue in Adobe Acrobat & Acrobat Reader
I would like to inform you that we have received new updates from Trend Micro Global Update Center.
Topic: Buffer Overflow Issue in Certain Versions of Adobe Acrobat and Acrobat Reader May Cause Remote Code Execution
Advisory Release Date: February 23, 2009
Vulnerability Details
A vulnerability has been found in version 9.0.0 and earlier of the Adobe Acrobat family of applications that may cause the program(s) to crash, as well as allow a remote user to execute malicious code on an affected system.
It exploits a vulnerability in a non-JavaScript function call; however JavaScript is also used to successfully execute malicious code. Disabling JavaScript will prevent code execution, but not crashes of Adobe Acrobat.
Known reports of the said are currently only isolated to Windows user/ no reports yet of know and verified cases with (Linux and OS X Platforms).
Malware exploits a zero-day vulnerability
This Trojan is a specially crafted .PDF file that exploits a zero-day vulnerability in Acrobat Reader Version 8.x and 9.0.
The said vulnerability causes the application to crash and could potentially allow an attacker to take control of the affected system.
Differing variants of this file drop various malware onto the affected system. Below are some of the malwares detected by Trend Micro that are dropped malwares by this PDF:
BKDR_NETCL.A
EXPL_EXECOD.A
JS_SHELLCOD.JS
TROJ_AGENT.ZWQA
TROJ_FAKEAV.LKQQ
Affected Software
· Adobe Acrobat Pro 9.0.0 and earlier versions
· Adobe Acrobat Pro Extended 9.0.0 and earlier versions
· Adobe Acrobat Reader 9.0.0 and earlier versions
· Adobe Acrobat Standard 9.0.0 and earlier versions
As of this time, no patch exists for this vulnerability. A patch for Acrobat and Acrobat Reader versions 9.0.0 is expected by March 11, 2009. Patches for earlier versions will follow.
Please consult the official Adobe security bulletin for details on these patches.
Recommendation:
For Enterprise Customers, Active Directory Administrators can implement a registry alteration which can be done via Startup Script from the Group Policy Editor and/or Security Settings. This would enable the users to roll out the solution across the network in a shorter period of time.
Manual Editing on Adobe Application
Click:Edit -> Preferences -> JavaScript and uncheck Enable Acrobat JavaScript
GPO based to disable JavaScript for Adobe Acrobat Reader
HKEY_CURRENT_USER
Adobe Acrobat Reader:
Software\Adobe\Acrobat Reader\x.0\JSPrefs
Adobe Acrobat:
Software\Adobe\Adobe Acrobat\x.0\JSPrefs
Setting the DWORD “bEnableJS” to 0 will disable JavaScript.
See attachment for the txt copy (reg.txt) of the registry alteration.
Preventive Action
· Keep your Trend Micro products up-to-date with the current pattern files (All detections are currently available in our Official Pattern)
· Use caution when opening email attachments or when using peer-to-peer file sharing, instant messaging, or chat rooms
· Encourage the wide use of WRS functionality and IWSS to filter compromised sites which are delivering the exploit to the said vulnerability.
· Prevent Internet Explorer from automatically opening PDF documents.
· Disable the displaying of PDF documents in the web browser. This can be disabled in the General preferences dialog (Edit, Preferences, Internet, and un-check “Display PDF in browser”).
· Use caution when opening untrusted PDF files.
(*Some of the recommendations and preventive actions above came from US-CERT)
Additional Information
http://blog.trendmicro.com/portable-document-format-or-portable-malware-format/
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FPIDIEF%2EIN&VSect=T
