Zero Day in Adobe Acrobat and Reader Part 3 Oh Crap

Secunia has verified disabling javascript does not provide full protection against the zero day in all supported versions of Adobe Acrobat and Adobe Reader.
The current exploit seen in the wild uses javascript to perform a heap spray for code execution. The vulnerability is in in a non-javascript function call. The original alert put out by Shadowserver states:

There may be a method for populating the heap with the necessary shellcode without JavaScript, however if such a technique exists I am not aware of it.

Secunia reports that they have “managed to create a reliable, fully working exploit (available for Secunia Binary Analysis customers), which does not use JavaScript and can therefore successfully compromise users, who may think they are safe because JavaScript support has been disabled.”
Even without this method of exploiting without javascript, a SANS commenter has pointed out the potential problem of disabling javascript. When a user opens a PDF containing javascript, they are prompted to re-enable javascript by clicking yes. How many users are really going to stop and consider the source of the file before re-enabling javascript.

One Comment

Comments are closed.