Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2014
    S M T W T F S
    « Sep    
     1234
    567891011
    12131415161718
    19202122232425
    262728293031  
  • About Us

    News of the ‘unknown’ and underground zero-day in Adobe Reader is all over the Internet. Because of its supposed noteworthy features, including the capability to defeat Adobe’s sandbox feature, users are alarmed – and rightfully so. Fortunately, the situation is not without hope.

    With this entry, my aim is to explain to our customers what this exploit means to them and what protective measures can be implemented.

    Let us understand the threat situation first. How serious is it? There are claims of a zero-day exploit affecting versions 10 and 11 of Adobe Reader and is reportedly being sold in the underground for USD 30,000 – 50,000. Why so much money? This zero-day bypasses the sandbox protection technology that Adobe introduced in ver. 10. It executes even if JavaScript is disabled in the software. The only interaction it requires is for a user to open a .PDF document and the bug is triggered when the browser is closed.

    There is news that this bug is being exploited in specific targeted attacks. There is also news that it will soon be incorporated in the notorious BlackHole Exploit Kit. Once it gets added, there is a chance of widespread exploitation via the exploit kit.

    It is definitely time to take action and observe due diligence. Given that the details of the vulnerability are not available, we suggest users to follow these security measures:

    • Educate employees to refrain from opening documents received from unknown or unverified sources.
    • Consider using alternative .PDF software readers such as Foxit or the built-in reader in Google Chrome. Currently, Adobe is investigating this issue. But until Adobe comes up with a concrete solution or alternative fix, it might be best to steer clear of Adobe Reader for the meantime.

    We at Trend Micro Deep Security have, over time, developed several heuristics-based rules for generic detection of attack delivery via .PDF documents. As mitigation, Trend Micro customers using Deep Security and OfficeScan users using the Intrusion Defense Firewall should assign the following rules to their endpoints.

    • 1004133 – Heuristic Detection Of Malicious PDF Documents
    • 1004593 – Heuristic Detection Of Malicious PDF Documents – 2
    • 1004085 – Heuristic Detection Of Malicious PDF Documents – 3
    • 1004652 – Identified Suspicious PDF Document
    • 1004081 – Restrict PDF Documents With Embedded Executable Files

    These rules have provided protection against past zero-day exploits that we have collected overtime. However, these should not be considered foolproof “cure-alls” to zero-day exploits, including this one. Timely rule implementation and user education are still key in safeguarding systems against threats – zero-day or not.

    We are currently monitoring this threat and we”ll give updates of any noteworthy developments.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    Comments are closed.



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice