Exploit AdobeReader: How To Clean Your Computer From It

Here another interesting yet dangerous infection: Exploit AdobeReader.

Exploit.AdobeReader includes malicious code that permits remote execution of random code on the target computer system. The executed commands will run using the privileges of the host computer’s logged in user.

Examining this exploit, I observed a few characteristics.

First, it creates a new process called CbEvtSvc.exe. 92% of the time this process is actually an expoit of Adobe Reader. So for the most part this process is definitely an infection on your computer.

Second, it starts itself as a service under the COM+ Event System and its looks to run as a non-svcshost process.

Two steps need to be taken: First remove the exploit using Spyware Doctor Download so that the process and its registry entries are removed. Second read the following bulletin snippet from Adobe:

A critical vulnerability has been identified in Adobe Reader 9 and Acrobat 9 and earlier versions. This vulnerability could cause the adobe reader application to abort and with high probability allows an attacker to take control of the affected system. There are reports that this issue is being exploited.

Adobe has released the Adobe Reader 9.1 and Acrobat 9.1 product updates to resolve this security issue. Adobe recommends users of Adobe Reader and Acrobat 9 update to Adobe Reader 9.1 and Acrobat 9.1. Adobe recommends users of Acrobat 8 update to Acrobat 8.1.4, and users of Acrobat 7 update to Acrobat 7.1.1. For Adobe Reader users who can’t update to Adobe Reader 9.1, Adobe has provided the Adobe Reader 8.1.4 and Adobe Reader 7.1.1 updates.

Release date: February 19, 2009

Last Updated: March 24, 2009

Vulnerability identifier: APSA09-01

CVE number: CVE-2009-0658

Platform: All platforms

Summary

This critical vulnerability has been identified in Adobe Reader 9 and Acrobat 9 and earlier versions. This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system. There are reports that this issue is being exploited.


Leave a Reply

You must be logged in to post a comment.