Endpoint Protection

It appears that last night, an exploit for the Acrobat util.printf() vulnerability was added to a well known Web attack toolkit. The attack exists as a compressed PDF. Once decompressed, the exploit is encoded with a simple eval()+ concatenation block:

 

--
 
function main() {
 
eval(unescape(""+"%"+"76%61%"+"72%20%7"+
 
..
 
this.closeDoc(true);
}
 
app.setTimeOut("main()", 5000);
 
--

 
This decodes into an exploit for the util.printf() vulnerability:
 

---
 
var sccs = unescape(""+"%"+"u03eb%u"+"eb59%ue805%uf"+"ff8%uffff%u4949%u4949%u494"+ ...);
 
...
 
util.printf(unescape(""+"%"+"25%34%35%30%30%30%66"), nm);
 
---

In spite of the two-layer encoding on the exploit, the attack is detected as HTTP Acrobat PDF Suspicious File Download on NAV/NIS/N360, using any IPS definition set after October 3.
 
There are some reports of detection problems on this attack, but they are not accurate. Symantec products rely on several defensive mechanisms to protect a host, including network and host intrusion prevention, as well as antivirus. Currently, our products do not have antivirus protection for this attack (although an update is being released for Trojan.Pidief.D), but the intrusion prevention systems resident in NAV/NIS/N360 will catch it with existing definitions. I believe this discrepancy is simply a testing issue in some of the public test harnesses.

UPDATE: Bloodhound.exploit.213 has since been released to cover this vulnerability specifically.

We recommend that customers update their Adobe Reader and Acrobat installations if they haven’t already. Please also review Adobe's bulletin here: http://www.adobe.com/go/apsb08-19.