Acrobat 0-day used in targeted attacks
You may have heard about a recently discovered 0-day vulnerability in Adobe Acrobat that has been used in targeted attacks. While this isn’t anything like a traditional phishing or malware attack, it could be considered a type of ’spear’ phishing.
In case you haven’t heard the details yet, there’s a vulnerability in Adobe Acrobat Reader that allows attackers to execute arbitrary code. In real world exploits, the attackers use Acrobat javascript to fill memory with their code which when executed downloads and installs malicious files to the victim’s system. Sourcefire has revealed a suprisingly amount of detail about the vulnerability on their blog.
I say the amount of deal is surprising because very little information has come out about how to mitigate this attack. As a former IT security guy, this is extremely frustrating. Even in Adobe’s security advisory about the incident, they only information one is left with is to watch until March 11th for a patch. If you’re responsible for protecting users, there’s not much to do but hope your AntiVirus and other security products catch the attack.
While the attacks seen leverage Acrobat javascript, it’s important to note that in this particular case the actual vulnerability is not in javascript. However, because javascript is being used in real-world attacks and there have been other javascript vulnerabilities in Acrobat Reader, it makes sense to completely disable it. But what to do if you need to disable it across hundreds or thousands of machines?
PhishLabs spent some investigating which registry keys hold the javascript settings of Acrobat and found that the magic key is:
HKCU\Software\Adobe\Acrobat Reader\9.0\JSPrefs\bEnableJS
Set this to 0×0 or 0×1 to disable or enable it respectively.
We’ve put together a simple batch file which automates this for you. Click here to down it.
Note that it has only been tested on Adobe Acrobat Reader 9.0.0 Standard US on Windows XP SP3. Use at your own risk.
February 21st, 2009 at 2:27 pm
[...] batch-file for turning off JavaScript in Adobe Reader by altering Registry settings at http://www.phishlabs.com/blog/archives/122 (I haven’t tested it!). Assuming that it works as advertised, there’s no advantage [...]
February 23rd, 2009 at 10:24 pm
[...] the security for several computers you may wish to disable JavaScript via the registry. The guys at PhishLabs have pointed out how to do this. according to their blog you can disable JavaScript in Adobe Reader [...]
February 24th, 2009 at 8:06 am
Note that for acrobat reader v8, that key becomes
HKCU\Software\Adobe\Acrobat Reader\8.0\JSPrefs\bEnableJS
I would imagine that there may be other versions also, although localizations tend to use the same keys.
February 24th, 2009 at 12:55 pm
acrobat 6 pro:
HKCU\Software\Adobe\Adobe Acrobat\6.0\JSPrefs\bEnableJS
reader 7:
HKCU\Software\Adobe\Acrobat Reader\7.0\JSPrefs\bEnableJS
February 25th, 2009 at 1:27 am
[...] 此外安全公司PhishLabs也发布了补丁去重置一个Windows注册表项,禁用Adobe Reader 9.0的JavaScript,从而切断黑客入侵之路。 Grenier的补丁下载。 [...]
February 25th, 2009 at 7:53 am
how do you disable the pop-up warning about enabling the java ??
February 27th, 2009 at 11:01 pm
Yeah – how do you disable the pop-up warning about enabling the java (fricking annoying)?
March 4th, 2009 at 5:21 am
[...] explorações através de arquivos PDF maliciosos estão acontecendo). Por enquanto, sobreviva de workarounds. Outra opção é instalar um patch não oficial que um consultor da SourceFire [...]
March 10th, 2009 at 7:58 am
[...] Phishlabs has written a bat file that can automatically handle the registry edit. You can download the necessary files here: http://www.phishlabs.com/blog/archives/122 [...]
March 17th, 2009 at 9:07 am
[...] you need to implement this change across a large number of machines, PhishLabs have posted some information which will make your life [...]