Disable JavaScript in Adobe Reader
It appears that there is something in the wild that the guys over at Shadowserver are very concerned about. The versions of reader that are affected are 8.x to 9.x. To disable JavaScript in in your reader select EDIT from the main menu, then select PREFERENCES and click on JavaScript and uncheck enable Acrobat JavaScript.
Shadowserver also believes that Symantec has provided protection against a possible dubbed Trojan.Pidief.E since February 12. Peek over at Shadowserver to get the latest news regarding this threat.
Updates from Shadowserver on Friday, February 20, 2009:
More information for you on this and Sophos protection – since Feb 7th 2009
Sophos detection is Troj/PDFJs-U with exploit aliases of Exploit.Win32.Pdfief.acv and Exploit.JS/Mult.BC
Writeup located here:
http://www.sophos.com/security/analyses/viruses-and-spyware/trojpdfjsu.html
There is also a closely related shell code type attack Sophos calls Troj/PDFJs-I with protection since Dec 8 2008 Sophos write-up located here:
http://www.sophos.com/security/analyses/viruses-and-spyware/trojpdfjsi.html
———Updates Late Friday:
I have more news for you as an update to this rapidly developing Adobe exploit issue:
Clam AV sig is called Exploit.PDF-23 so we have another vendor on board with this exploit that now has protection.
Also Snort has a new ruleset to detect attacks targeting this vulnerability. Go here:
http://www.snort.org/vrt/advisories/vrt-rules-2009-02-20.html
Sourcefire just released a good blog with details on the workings of the exploit and how a heap spray could be used across multiple versions of the reader. Go here:
http://vrt-sourcefire.blogspot.com/2009/02/have-nice-weekend-pdf-love.html
Thanks goes to Dave from Shadowserver for providing info & updates on this!
adobe, reader, shadowserver, trojan
No Comments