http://www.karmaspoon.com

• This vulnerability affects: Adobe Reader and Acrobat 9.2 and earlier, on Windows, Mac, and Unix computers
• How an attacker exploits it: By enticing your users into viewing a maliciously crafted PDF document using javascript
• Impact: An attacker can potentially gain control of  your system 
• What to do: Implement the workarounds described in the Solution Path section of this alert

Exposure:

Adobe has confirmed a critical zero day vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions that could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild. This was first referenced by Adobe in a blog posting on Monday and they have since  issued a security bulletin. Adobe plans to make available an update to Adobe Reader and Acrobat by January 12, 2010 to resolve the issue. Users running Microsoft DEP (”Data Execution Prevention”) functionality available in more recent versions of Microsoft Windows are at reduced risk:

• All versions of Adobe Reader 9 running on Windows Vista SP1 or Windows 7
• Acrobat 9.2 running on Windows Vista SP1 or Windows 7
• Acrobat and Adobe Reader 9.2 running on Windows XP SP3
• Acrobat and Adobe Reader 8.1.7 running on Windows XP SP3, Windows Vista SP1, or Windows 7

With the DEP mitigation in place, the impact of this exploit has been reduced to a Denial of Service during Adobe’s testing.

Since attackers are actively exploiting this vulnerability in the wild and Adobe hasn’t had time to patch it yet, this flaw poses a serious risk to Adobe Reader users. Until a patch is available, we recommend you implement the workarounds described below to mitigate the risk of this attack.

Solution Path

Adobe has not had time to release a patch for this zero day vulnerability. However, the workarounds described below should mitigate the risk of attacks currently circulating in the wild.

• Inform your users of this vulnerability. Advise them to remain wary of unsolicited PDF documents arriving via email. If they don’t absolutely need the document, and don’t trust the entity it came from, they should avoid opening it until you patch Adobe Reader.
• Disable JavaScript in Adobe Reader. According to Adobe, users can mitigate the issue by disabling JavaScript in Adobe Reader. To disable JavaScript in Adobe Reader, click Edit => Preferences => JavaScript and then uncheck Enable Acrobat JavaScript. Keep in mind, this prevents JavaScript from running in legitimate PDF documents as well.
• Use a gateway device, like your Firebox, to block PDF files. If your users can’t download PDF files, these exploits won’t affect them. Unfortunately, doing this blocks legitimate PDF files as well. Nonetheless, depending on your business needs, you may still want to block PDF files until a patch is available.