Disable JavaScript until next Tuesday

Oct 9, 2009 08:25 GMT  ·  By

Attackers are exploiting a zero-day vulnerability in the latest versions of Adobe's Reader and Acrobat products to compromise computers. The company recommends disabling JavaScript as a temporary solution until a patch is shipped on October 13.

The vulnerability, identified as CVE-2009-3459, can be used to remotely execute arbitrary code on a computer running the latest Windows flavor of Adobe Reader or Acrobat (9.1.3). In order to exploit it, attackers have to trick users into opening maliciously crafted PDF files.

Adobe credits Chia-Ching Fang and the Taiwanese Information and Communication Security Technology Service Center with the discovery of this flaw, which it says is currently being exploited in the wild as part of limited targeted attacks. The company plans to address the flaw in its upcoming quarterly security update set to ship on October 13.

However, if past experience is any indication, attacks are likely to escalate during the upcoming days as more cybercriminal gangs get their hands on the exploit. Until a patch is delivered, Adobe recommends disabling JavaScript support in the products, as it renders the current exploitation technique ineffective.

This can be achieved by unchecking the "Enable Acrobat JavaScript" checkbox from Adobe Reader's Preferences menu, although David Lenoe from Adobe's Product Security Incident Response Team (PSIRT) points out that this might not ensure 100% protection. "A variant that does not rely on JavaScript could be possible," he warns.

It is notable that users running Windows Vista with Data Execution Prevention (DEP) enabled are safe from arbitrary code execution. However, since unsuccessful exploitation will result in a denial of service condition, their product might crash.

Another method of protection is to ensure that your AV product is up to date, as Adobe is working with antivirus vendors to identify the malicious PDF files. "In the meantime, Adobe is also in contact with Antivirus and Security vendors regarding the issue and recommends users [to] keep their anti-virus definitions up to date," Mr. Lenoe notes.