The Latest in IT Security

Guard Against Sandbox-Bypassing Adobe Reader Zero-Day


News of the ‘unknown’ and underground zero-day in Adobe Reader is all over the place. Because of its supposed noteworthy features, including the capability to defeat Adobe’s sandbox feature, users are alarmed – and rightfully so. But the situation is not without hope.

With this entry, my aim is to explain to our customers what this exploit means to them and what protective measures can be implemented.

Let us understand the threat situation first. How serious is it? There are claims of a zero-day exploit affecting versions 10 and 11 of Adobe Reader and is reportedly being sold in the underground for USD 30,000 – 50,000. Why so much money? This zero-day bypasses the sandbox protection technology that Adobe introduced in Reader ver. 10. It executes even if JavaScript is disabled in the software. The only interaction it requires is for a user to open a .PDF document and the bug triggers when the browser is closed.

There is news that this bug is being exploited in specific targeted attacks. There is also news that it will soon be incorporated in the notorious BlackHole Exploit Kit. Once it gets added, there is a chance of widespread exploitation via the exploit kit.

It is definitely time to take action and observe due diligence. Given that the details of the vulnerability are not available, we suggest users to follow these security measures:

  • Educate employees to refrain from opening documents received from unknown or unverified sources.
  • Consider using alternative .PDF software readers such as Foxit or the built-in reader in Google Chrome. Currently, Adobe is investigating this issue. But until Adobe comes up with a concrete solution or alternative fix, it might be best to steer clear of Adobe Reader for the meantime.

We at Trend Micro Deep Security have, over time, developed several heuristics-based rules for generic detection of attack delivery via .PDF documents. As mitigation, Trend Micro customers using Deep Security and OfficeScan users using the Intrusion Defense Firewall should assign the following rules to their endpoints.

  • 1004133 – Heuristic Detection Of Malicious PDF Documents
  • 1004593 – Heuristic Detection Of Malicious PDF Documents – 2
  • 1004085 – Heuristic Detection Of Malicious PDF Documents – 3
  • 1004579 – Heuristic Detection Of Malicious PDF Documents 3
  • 1004652 – Identified Suspicious PDF Document
  • 1003503 – Suspicious PDF File With Embeded Obfuscated Javascript
  • 1004081 – Restrict PDF Documents With Embedded Executable Files

These rules have provided protection against past zero-day exploits that we have collected overtime. However, these should not be considered foolproof “cure-alls” to zero-day exploits including this one. Timely rule implementation and user education are still key in safeguarding systems against threats – zero-day or not.

We are currently monitoring this threat and we”ll give updates of any noteworthy developments.

Leave a reply



Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments