Last week, Belgian security researcher Didier Stevens demonstrated that a pdf exploitation could be possible with the user only selecting the file (security4all).
Now he took it even a level further. In some cases, you can be vulnerable by just having an infected file on your harddisk. The problem lies with the Windows Indexing Service (among others).
Visit his blog for the details and countermeasures.
It's still two days before a patch will be released by Adobe. And the questions is: what will be the patch rate be of the average user? It may take months to see some serious adaptation.
Here is still a list of possible countermeasures:
- Disable JavaScript in Adobe Acrobat Reader. I know that this stops only the known attacks and does not eliminate the underlying vulnerability but it can help lower the threat level.
- Although not perfect, Anti-virus vendors are updating to detect malicious PDFs. Make sure you have some on your desktop and your proxy and mailserver. Preferably not using the same engine. This will increase your detection rate.
- Some IDS and IPS signatures are available.
- Disable automatic rendering of PDFs in the browser
- Warn users to be careful about PDFs from unknown sources
- Install an alternative PDF reader like Foxit Reader or Sumatra PDF
- And in Didier's case, disable or deinstall windows indexing service (see his blog for more info)
Like in biology, we need some biodiversity. By not using the most widely used software, you have more immunity against attacks that target those that don't.
Related posts:
- Acrobat reader exploit works without opening pdf
- PDF attacks are becoming more widespread using ads
- Acrobat Reader exploits in the wild (updated)
Security4all Blog
Twitter
Slideshare
Facebook
Digg
Flickr
1 comments:
Adobe just released an update to the reader: http://msmvps.com/blogs/donna/archive/2009/03/10/adobe-released-v9-1-of-adobe-reader.aspx
This possibly fixes the vulnerability (although there is no official word on this as of yet).
Post a Comment