There has been quite a lot of traffic in the last few weeks about the doc.media.newPlayer vulnerability referenced in the CVE database as CVE-2009-4324. The following Adobe articles refer:
http://www.adobe.com/support/security/advisories/apsa09-07.html
http://blogs.adobe.com/psirt/2009/12/new_adobe_reader_and_acrobat_v.html
http://blogs.adobe.com/psirt/2009/12/security_advisory_apsa09-07_up.html
Today's article at the Internet Storm Center by Bojan Zdrnja (http://isc.sans.org/diary.html?storyid=7867) gives a lot of detail on a particularly inventive exploit of the vulnerability. I won't attempt to replicate the post here, but it includes several interesting features. The latest news from Adobe is that a patch will be made available on 12th January.
However, the point I do want to emphasise is this: once again, this exploit takes the easy route by making use of Adobe's insistence on making the use of Javascript a default. As both Randy and I have pointed out several times before (most recently in Randy's blog at http://www.eset.com/threat-center/blog/2009/12/18/pdf-%e2%80%93-pretty-darned-fatal), Javascript would be unnecessary for most end users even if it didn't entail any added risk. However, the fact that it has been the channel for so many attacks in the past year or two tells us that it does entail significant risk. I would therefore suggest that you need to consider the following issues:
- If you're using Adobe Reader and/or Acrobat, you need to ensure that this patch (and other patches) are applied as soon as possible after they become available.
- Note that Adobe's patching practice is not yet as timely or as transparent as it ought to be: if you don't have administrative privileges (which is good practice in terms of the "principle of least privilege", you may not even receive notice of the availability of a patch, let alone be able to install it. Adobe really need to learn from Microsoft in this respect, and others...
- If you've taken our advice to disable Javascript unless you know you need it, you might want to check that it hasn't been re-enabled! If you haven't disabled it, you should consider it. Seriously.
- In view of Adobe's habit of making it as difficult as possible to use the product with reasonable security, are you sure you need to use Reader? (I understand that you might find it less than convenient to dispense with full-blow Acrobat for business use.) While I wouldn't care to recommend any particular alternative product without doing some comparative research, it has to be worth considering alternatives such as Foxit and Sumatra, or one of the cheaper PDF generation programs.
This issue does confirm another point we've made several times: while we expect the bad guys to continue looking for and exploiting vulnerabilities in operating systems, application vulnerabilities tend to offer richer seams for exploitation nowadays. It's not Adobe's fault that its products are so regularly targeted, but the company's reluctance to commit to best patching practice is a real problem.
David Harley
Director of Malware Intelligence
