On the recent PDF exploit

I previously wrote about the popularity of document exploits (”poisoned documents”), noting that such exploits would be well suited for targeted attacks on social networks. The usage of PDF has become ubiquitous to the world wide web, supported through many platforms – from desktops to smartphones. While most attacks still concentrate on one platform, innovative exploitations continue to arise, opening the door to further attack avenues. Such exploitations typically require much time and effort, which is clearly being invested and is a good indicator that we will likely see more of these in the future, with expansion to other platforms.

Amongst the issues fixed in Adobe’s recent quarterly patch release was CVE-2009-3459, a then zero-day attack spotted in the wild, targeting Adobe Reader (PDF). You may find our security advisory here, complete with advanced threat coverage prior to Adobe’s patch for this zero-day (detected through our IPS solution as ‘Adobe.Reader.Decode.Color.Remote.Code.Execution‘). FortiGuard Labs’ Haifei Li has provided an in-depth study on this recent attack, from vulnerability to exploitation and payload. You can find it here on our FortiGuard Center — it’s a highly recommended read, as it showcases the sophistication of exploit writers within today’s threat landscape.