Last year when Adobe Acrobat was being exploited in the wild, some were calling for people to switch their PDF reader software as a defense against the exploits targeting Acrobat Reader. While application diversity can enhance an individual's ability to withstand broadcast attacks, it is important to consider that any alternative software still needs to be maintained, and consideration needs to be given as to how security systems handle this software. If a replacement application is not handled well by perimeter systems, has security been improved by the replacement?
Today's Web attack toolkit operators are often content with only a small percentage of success with their attacks. This often means that they are deploying any and every functional exploit they can get their hands on without regard for how successful it may be. Thinking that one can simply move to software that is not currently being exploited is not a good long term solution. In the long term, moving to alternative software can actually increase your vulnerability if additional software is simply installed and forgotten about.
On March 20, our honeypots began detecting exploits for the Foxit PDF reader. Although it is not clear if this specific attacker intentionally wanted to target users of the Foxit Reader who had installed and not updated their software, or if the exploit was simply added to the attack toolkit when it became public, users should nonetheless review their installations to ensure that they are not vulnerable to this attack. Foxit has fixed all known security vulnerabilities, and you can review their security bulletins here.
The updated attack serves a variety of exploits, along with the exploit for the Foxit PDF Reader (described in BID 34035). These attacks are detected by the following existing IPS signatures in Enterprise (SEP/SCS), and Consumer (NAV/NIS/N360) products:
HTTP Malicious Toolkit Variant Activity
HTTP Acrobat PDF Suspicious File Download