Xanda’s Blog !~!

I was reading my RSS feed and suddenly I’ve found this PDF sample. We’ve found PDF-JS Obfuscation with this.info.title last week and this time comes another trick. Using hexadecimal in defining filter..

The following line was found in one of the stream

</Length 0000000/Filter/#41#53#43#49#49#38#35#44#65#63#6f#64#65>>

once converted from hex to ascii, here is what i’ve found

</Length 0000000/Filter/ASCII85Decode>>

Yeah.. nothing much, but yes the sample will be passed to Azizan for enhancement of Analyz3r

xanda IT Related analyz3r, client side, exploit, filter, hex, pdf

Nothing much but YES to agree with Didier Stevens with his statement:

PDF + JS = OMG

Yerp.. there is another vulnerability (CVE-2009-3459) in Adobe Reader and Acrobat today (GMT +8) and so far it is still 0 day..

*panic panic* What to do?

1. Disable JavaScript support in Adobe Reader and Acrobat
2. Enable DEP (for Windows)
3. Use NoScript
4. Use alternative PDF reader like Foxit, Gnome Document Viewer, yada yada..
5. Don’t be a lame by opening unknown PDF attachment

xanda IT Related 0day, acrobat, adobe, clientside, CVE-2009-3459, javascript, pdf