Recent Posts

Recent Blog Posts

The PhishLabs Blog

Acrobat 0-day used in targeted attacks

Posted by John LaCour on Feb 21, '09

You may have heard about a recently discovered 0-day vulnerability in Adobe Acrobat that has been used in targeted attacks. While this isn’t anything like a traditional phishing or malware attack, it could be considered a type of ‘spear’ phishing.

In case you haven’t heard the details yet, there’s a vulnerability in Adobe Acrobat Reader that allows attackers to execute arbitrary code. In real world exploits, the attackers use Acrobat javascript to fill memory with their code which when executed downloads and installs malicious files to the victim’s system. Sourcefire has revealed a suprisingly amount of detail about the vulnerability on their blog.

I say the amount of deal is surprising because very little information has come out about how to mitigate this attack. As a former IT security guy, this is extremely frustrating. Even in Adobe’s security advisory about the incident, they only information one is left with is to watch until March 11th for a patch. If you’re responsible for protecting users, there’s not much to do but hope your AntiVirus and other security products catch the attack. 

While the attacks seen leverage Acrobat javascript, it’s important to note that in this particular case the actual vulnerability is not in javascript. However, because javascript is being used in real-world attacks and there have been other javascript vulnerabilities in Acrobat Reader, it makes sense to completely disable it. But what to do if you need to disable it across hundreds or thousands of machines?

PhishLabs spent some investigating which registry keys hold the javascript settings of Acrobat and found that the magic key is:

HKCU\Software\Adobe\Acrobat Reader\9.0\JSPrefs\bEnableJS

Set this to 0×0 or 0×1 to disable or enable it respectively.


Topics: Phishing, Malware, Exploit, Vulnerability, Adobe

What's this all about?

The PhishLabs Blog is where we share our insights and thoughts on cybercrime and online fraud.

Recent Posts

Subscribe to Email Updates

Posts by Topic

see all