For the geekier among us wanting or needing to know more about the Adobe vulnerability that Randy and I both blogged on yesterday, here are a few resources:
- More from Shadowserver at http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090221
- As we've said previously, disabling JavaScript, while it doesn't address the underlying vulnerability, stops known exploits from working properly. There are rules for open source Snort at http://www.snort.org/vrt/advisories/vrt-rules-2009-02-20.html (and sundry other information elsewhere on the site)
- There's also a batch-file for turning off JavaScript in Adobe Reader by altering Registry settings at http://www.phishlabs.com/blog/archives/122 (I haven't tested it!). Assuming that it works as advertised, there's no advantage to using this on one or a handful of PCs - do it by hand, as we've previously detailed. It won't even work on many systems: it's specific to version 9.0 of Reader. If you don't understand what it does, or you don't know if it matches the software configuration on your own machine(s) you shouldn't use it. If you do understand it, it may save you some time if you need or want to disable JavaScript for multiple systems, even if you have to tweak it to suit your own systems, but you do need to know what you're doing.
- JavaScript in Adobe Reader is a Good Idea in general, not just in response to the current wave of exploits, but for most people, doing it through Edit | Preferences as described is a safer and surer way of doing it.
New malcode using this loophole is still appearing, though as far as I know the current exploits are still largely targeted rather than random. However, given the fact that more information is becoming public about the exact nature of the problem, it's likely that we'll see it used by other malware that may be more widely spammed. In other words, it will start to affect Joe Sixpack, not just specially targeted organizations.
David Harley
Director of Malware Intelligence
