Endpoint Protection

 View Only

  • 1.  Zero-day exploit for Adobe Reader

    Posted Jun 06, 2010 11:04 PM
    As I know still there is nothing from Symantec for protect users from this.

    As the Adobe says    "  Deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat 9.x mitigates the threat for those products, but users will experience a non-exploitable crash or error message when opening a PDF file that contains SWF content. "

    So is it possible to mitigate this using application control policy on SEPM ?


  • 2.  RE: Zero-day exploit for Adobe Reader

    Posted Jun 07, 2010 01:39 AM
    You may want to see if IPS already stops this.  But I do believe you can make app control prevent access to this file.  


  • 3.  RE: Zero-day exploit for Adobe Reader

    Broadcom Employee
    Posted Jun 07, 2010 01:42 AM

    yes, you may need to set an application control policy to disable the user previlege to modify the registry entry.



  • 4.  RE: Zero-day exploit for Adobe Reader

    Posted Jun 08, 2010 01:45 AM
    Hi

    I believe that you are referring to the Security Advisory for Flash Player, Adobe Reader and Acrobat that was released on 4 June (CVE-2010-1297, more details: http://www.adobe.com/support/security/advisories/apsa10-01.html)

    Symantec Security Response posted a blog on the subject on 6 June: there are many good details in there.  https://www-secure.symantec.com/connect/blogs/0-day-attack-wild-adobe-flash-reader-and-acrobat

    An excerpt:

    "We have confirmed that the attack involves Trojan.Pidief.J, which is a PDF file that drops a back door Trojan onto the compromised computer if an affected product is already installed. We have also come across an attack using a malicious SWF file (detected as Trojan Horse) in conjunction with an HTML file (detected as Downloader) to download another malware (detected as Backdoor.Trojan) from the web. (We may update these three detection names once our analysis is complete)."

    Please do make sure that all AV defs are up to date in your network!  Let the forum know if there are any additonal questions or concerns.

    Thanks and best regards,

    Mick


  • 5.  RE: Zero-day exploit for Adobe Reader

    Posted Jun 08, 2010 06:46 PM

    Thanks Mick. This is very helpful. Just wanted to sum up what Adobe said about this on their site:



    " A critical vulnerability exists in Adobe Flash Player 10.0.45.2 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems, and the authplay.dll component that ships with Adobe Reader and Acrobat 9.x for Windows, Macintosh and UNIX operating systems.

    We are in the process of finalizing a fix for the issue, and expect to provide an update for Flash Player 10.x for Windows, Macintosh, and Linux by June 10, 2010. "

    More information can be found in the links Mick posted, but essentially they are pushing out the updates at the end of the week, and Symantec is updating is heuristic detection to help in the meantime.

    Cheers
    Grant