Dave Kennedy and Kevin Long from Verizon’s security team are offering some of the best advice I’ve seen regarding the ongoing attacks against an unpatched Adobe Acrobat/PDF vulnerability.
I’ve complained bitterly about the lack of mitigation guidance from Adobe and I’m happy to see the Verizon researchers filling in the blanks and offering suggestions to reduce your exposure to these attacks.
From the Verizon blog post:
Mitigations (none are 100% effective, but all contribute to defensive protection):
* Disable JavaScript in Adobe Acrobat and Reader. This stops the known attacks, but does not eliminate the underlying vulnerability in JBIG2 handling. Disabling JavaScript is also effective against other PDF vulnerabilities. If JavaScript is not business-essential, consider disabling it using GPO or other enterprise-wide techniques.
* Anti-virus vendors are updating to detect malicious PDF using the new vulnerability. Some AV were preventing exploitation of this vulnerability since last summer. While AV detection is not perfect, it’s ironic to note eWeek’s blogger is making the most noise about it. Desktop, e-mail gateway and web content AV all participate in effective defense.
* IDS and IPS signatures are available.
* Disable automatic rendering of PDFs in the browser to allow the user time to decide whether to launch a file or not.
* Disable rendering of PDFs in the browser at all. This is another measure forcing the writing of a downloaded PDF to disk before it’s opened thereby giving AV a better chance to detect and block an attack.
* Encourage users to be cautious about PDFs from unknown sources or unsolicited PDFs from anyone.
* Use an alternative PDF handler.
Also see: