All posts by Juha-Matti

About Juha-Matti

Security consultant from Finland

Adobe 0-day vulnerability (CVE-2009-4324) – what this means?

SecuriTeam Blogs contains several FAQ documents about MS Office vulnerabilities used in targeted attacks since 2006. This time I’m not writing a FAQ. This document has answers to What this means type questions.

What an organization can make to protect?

#1 Disable JavaScript. Deploy a system to deliver this setting to all workstations. This is not the last Adobe 0-day which we will see.

What this means?

Go to Edit>Preferences menu, select item ‘JavaScript’, Uncheck “Enable Acrobat JavaScript” and to save the setting click ‘OK’.

#2 Enable DEP

Some Windows systems include Data Execution Prevention (DEP) functionality.

What this means?

If your organization is using Windows versions with DEP support the code execution can be avoided.

Adobe has confirmed these mitigation advices in security advisory APSA09-07, but as mentioned DEP method doesn’t fully prevent the exploitation.

#3 Do not open PDF documents from unknown sources AND received unexpectedly.

What this means?

If you don’t know the sender who is sending you file attachments there is always a risk that you are a victim of targeted attack. Remember that the sender can be easily spoofed as well.

#4 Switch to alternative PDF reader.

There are many free and commercial products. However, they are often affected by Adobe vulnerabilities too and a patching policy is needed when switching to another product.

What this means?

Changing the PDF reader in large organization is not an easy move. Today is a good day to start the planning project.

Let’s talk about technical details with some words. The vulnerability exists in method. The Trojan in these attacks generated connections to http: // foruminspace dot com and http: // newsplaza dot net (these servers are located in Malaysia).

AV vendors use the following names when detecting the malicious PDF document:

Exploit.JS.Pdfka.atq (Kaspersky)

Exploit:W32/AdobeReader.UZ (F-Secure) (McAfee)

PDF/Pidief.NQ (CA)

Trojan.Pidief.H (Symantec)


Troj/PDFJs-FS (Sophos)

The size of the infected PDF document is 400,918 bytes. The file name varies, but it can be note200911.pdf, note_20091210.pdf or Outline of Interview.pdf.

The oldest vulnerability is known – let’s find the oldest data loss incident

The oldest documented vulnerability in computer security world is password file disclosure vulnerability from 1965, found by Mr. Ryan Russell.

Open Security Foundation – an organization behind OSVDB and DataLossDB has launched a competition to find the oldest documented data loss incident.

The last day to make a submission is next Friday – 15th May.
The link is easy to remember –