Internet Security Systems - AlertCon(TM)

Adobe JBIG2... going big?

Posted by John Kuhn and Holly Stewart on March 17, 2009 at 10:53 AM EDT.

When the Adobe Reader and Acrobat vulnerability was announced last month, we heard about external reports of targeted exploitation, but were not seeing anything in the wild ourselves. Typically, these 0-day exploits are kept pretty close to the chest. However, with this one, researchers pounced and within a few days, vulnerability details were floating around, which were quickly followed by proof-of-concept exploits. We've been waiting and monitoring... checking to see when these exploits might get integrated into toolkits. It seems like yesterday was the day.

Although we've only picked up a few attempts, it's clear that JBIG2 exploit-laden PDFs are now being sent alongside other PDF exploits through spam bots, seemingly originating from Taiwan (although they may be spoofed).

This one is especially tricky with certain email clients since the components that exploit Adobe are sometimes rendered in advance by simply opening the email (and not the attachment).  As with many of these file format vulnerabilities, portions of the file are auto-loaded by many applications (like when hovering over the file in a directory for example).

So, word to the weary! Patch and make sure you've got protection.  IBM ISS customers, please take a look at our alert for protection details.

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.