1. Copyright © 2000-2010, Solutionary, Inc. Current Adobe Exploits  2 different exploits in play  “Here you have”, “Just for you”  No Advisory – PDF Masking  “David Leadbetter’s One Point Lesson”  Adobe advisory CVE-2010-2883  Both delivered via email and web-site access  Both result in  unintended code execution  additional mal-ware to be installed

2. Copyright © 2000-2010, Solutionary, Inc. Current Adobe Exploits  “Here you have”, “Just for you”  W32/VBMania@MM - McAfee  Classic bait-n-switch spam  Click on PDF or WMV get SCR or EXE  Shuts down security software  Installs to Windows directory as CSRSS.EXE  Drops.JPG.SCR files on network shares user has access to  “David Leadbetter’s One Point Lesson”  Advisory CVE-2010-2883 (empty as of last night)  Actually uses PDF file – Very sophisticated ROP sled  Executes Javascript within file to cause exploit  Uses buffer overflow in cooltype.dll to get the ball rolling  Utilizes stolen Verisign certificate issued to secure2.ccuu.com  Bypasses ASLR & DEP using icucnv36.dll (Unicode)  Creates several files including iso88591, igxfver.exe, wincrng.exe, hlp.cpl

3. Copyright © 2000-2010, Solutionary, Inc. Mitigation  Aggressive AV/AS on gateways and end-points  Block attachments using gateways / IPS  Exploit shell-code based blocking  Attachment blocking http://*.scr, http://*.exe, etc.http://*.scrhttp://*.exe  Subject line blocking  Consider Alternatives: Foxitsoftware.com  Smaller, tighter  Has had security issues, very responsive to fixing them  End-point Hardening  Disable Javascript within Adobe Acrobat  Edit -> Preferences -> Javascript -> Uncheck  Vulnerability patching / end-point hardening  Security Awareness  Treat all unsolicited email with PDF or ANY attachments with extreme caution!  Incident Identification / Response  How quickly can you react? What steps will you take?

4. Copyright © 2000-2010, Solutionary, Inc. Disabling Javascript in Acrobat