Another PDF sample that exploits an unpatched vulnerability in Adobe Reader and Acrobat has been spotted in the wild. The sample (detected by Trend Micro as TROJ_PIDIEF.WIA) uses the heap spray technique to execute shellcode in its stream. As a result, a malicious file detected as BKDR_POISON.UC is dropped into the system.
When executed, BKDR_POISON.UC opens an instance of Internet Explorer and connects to a remote site, cecon.{BLOCKED}-show.org. Once connected, a malicious user may execute any command on the affected system.
Adobe has announced that it will provide a patch for this vulnerability on January 12, 2010 but until then, users are advised to disable JavaScript in Adobe Reader and Acrobat as cybercriminals are sure to take advantage of this unpatched vulnerability. To do this, follow the steps below.
- Click Edit > Preferences.
- In the left panel, select JavaScript.
- Untick the Enable Acrobat JavaScript option.
- Click OK.
In addition, Adobe also plans to release an automatic/silent updater that will automatically patch systems even without user intervention. This will hopefully lessen the number of users who can be victimized by attacks employing exploits for already patched vulnerabilities.
Trend Micro protects users from this threat via the Smart Protection Network, which detects all related malicious files. OfficeScan users with Intrusion Defense Firewall (IDF) plug-in are also protected from this attack if their systems are updated with IDF1003879 and IDF003885 filters.
