You know it's a bad week when circumstances warrant two Security Advisory posts. There is a zero-day vulnerability making the rounds that affects Adobe Acrobat and Acrobat Reader versions 9. The exploit arrives in a PDF file and exploits the ability of Acrobat to run JavaScript embedded in PDF files. The vulnerability can be completely mitigated by disabling the execution of JavaScript in PDF files (such a PDF is very rare, anyways).
Unfortunately, there is no easy way to affect this Acrobat configuration change across all of your corporate PCs at once. It does make me wish that Adobe provided a Active Directory Group Policy plug-in to enforce certain configuration settings on a domain-wide basis.
Suggestions:
- As the PDF is an otherwise well-formed document, there is no easy way to detect a malicious document with any signature-based network monitoring like True's NSM service. The best advice I can provide is to ensure that all anti-virus signatures are up-to-date across your enterprise although the AV vendors are playing catch-up at this point, and I cannot find any definitive answer as to whether any of them can detect this exploit yet. Some people are saying that Symantec may possibly detect this in some form.
- I suspect that the largest number of deliveries of a malicious PDF would arrive via e-mail, and so I would also recommend that you remind your users via e-mail to avoid opening PDFs which arrive unexpectedly in e-mail, are from untrusted (non-business related) sources, and/or are named in such a way as to suggest that they are recreational and non-business in nature.
By far the quickest, easiest and likely (at this point) most-effective action you can take is to notify your users via e-mail as I describe in
suggestion #2.
Find out how to evaluate your environment and identify potential vulnerabilities.