Trend Micro threat analysts were alerted to the discovery of a zero-day exploit that affects Adobe Reader and Acrobat 9.1.3 and earlier versions (CVE-2009-3459). Trend Micro detects this as TROJ_PIDIEF.UO. This .PDF file contains an embedded JavaScript, which Trend Micro detects as JS_AGENTT.DT. This JavaScript is used to execute arbitrary codes in a technique known as heap spraying. In addition, there is a possibility that a future variant may be created that does not use JavaScript to exploit the said vulnerability.

Based on our findings, the shellcode (that was heap sprayed) jumps to another shellcode inside the .PDF file. The said shellcode then extracts and executes a malicious file detected by Trend Micro as BKDR_PROTUX.BD. The said backdoor is also embedded in the .PDF file and not the usual file downloaded from the Web. Protux variants are known for their ability to provide unrestricted user-level access to a malicious user. Earlier variants of the Protux backdoor were seen to have been used as payload in previous attacks exploiting vulnerabilities in Microsoft Office files.

As of this writing, Adobe has indicated that it will include this vulnerability in its upcoming security update release. Meanwhile, users are recommended to disable JavaScript in Adobe Acrobat/Reader to mitigate the said attack. To do this, they should follow these steps:

1. Run Acrobat or Adobe Reader.
2. Go to Edit > Preferences.
3. Select JavaScript under the Categories tab.
4. Uncheck the “Enable Acrobat JavaScript” option.
5. Click OK.

Users are also advised to patch their systems as soon as Adobe releases the security patch. Trend Micro protects users with the Smart Protection Network by detecting the said exploit.

Anybody want to know Trend Micro’s top secret internal strategic plans for our upcoming projects? How about our financial returns for the next quarter?

Well, sorry, obviously we are not going to give that sort of information out publicly—we’d need to be crazy to do something like that.

On the other hand, if you want a heads up on Microsoft’s upcoming Windows 8 and Windows 9 OSs (128-bit, apparently) just wander over to the LinkedIn social networking site.

PC Pro has published a short piece on how a certain key Microsoft employee’s LinkedIn profile described his job as:

Working in high-security department for research and development involving strategic planning for medium- and long-term projects. Research and development projects, including 128-bit architecture compatibility with the Windows 8 kernel and Windows 9 project plan. Forming relationships with major partners: Intel, AMD, HP, and IBM.

Ouch.

This is yet another example of very sensitive company data being accidently posted on a social networking site, an all-too-common occurence. Social networking sites are also invaluable as sources of reconnaissance for hackers targeting a specific company, whether it’s an IT administrator on LinkedIn mentioning “managing checkpoint firewalls” in his job description or an employee tweeting that he/she is on his/her way to a “merger meeting with company X”—employees are quite often unaware of the sensitive information they are publicly disclosing.

Don’t get me wrong, I like social networks. I even have a LinkedIn profile of my own but I don’t put any data there that people would not already know.

If you are worried about this sort of data leak occuring in your own company, I’d fully recommend reading my colleague, David Sancho’s, paper “A Security Guide to Social Networks.”.

Perhaps Microsoft might like to print out a copy for all of its own employees.