Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Security Best Practice: Blocking FDF Files Containing Timed Javascript

Subscribe

Check Point Reference: SBP-2010-04
Date Published:
Severity:
Source: Adobe Security Bulletin - APSB10-02
Industry Reference(s): CVE-2009-3956
Protection Provided by: Security Gateway
  • R70
Who is Vulnerable?
Adobe Reader 9.2 and earlier versions for Windows, Macintosh, and UNIX
Adobe Acrobat 9.2 and earlier versions for Windows and Macintosh
Vulnerability Description
A remote code execution vulnerability exists within the Forms Data Format (FDF) built into Adobe Acrobat Reader. FDF is a file format used for representing form data and annotations that are contained in a PDF form. A remote attacker may exploit this issue to inject JavaScript into a PDF file from any domain on the internet.
Update/Patch Available
Update patches:
Adobe Security Bulletin - APSB10-02
Vulnerability Details
The vulnerability exists within the Forms Data Format (FDF) built into Adobe Acrobat Reader. When Acrobat loads an FDF file, there is no check to ensure that the target file, which the FDF data is intended to be loaded into, resides on the same domain as where the FDF was loaded from. A remote attacker may exploit this issue by hosting a malicious FDF file, which initiates loading of a PDF document from the target domain, and then injecting script which will be executed as if it was loaded from within the target PDF domain. Successful exploitation of the vulnerability will allow the attacker to effectively inject JavaScript into a PDF file from any domain on the internet.

Protection Overview
This protection will detect and block attempts to transfer FDF files that contain JavaScript over HTTP.

In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, Protection tab and select the version of your choice.

To configure the defense, select your product from the list below and follow the related protection steps.

Security Gateway R70

How Can I Protect My Network?
1. In the IPS tab, click Protections > By Protocol > Application Intelligence > Content Protection > Adobe Reader and Acrobat.
2. In the right pane, double-click the FDF Files Containing Timed JavaScript protection.
3. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect), and apply Additional Settings.
4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Adobe Reader Violation
Attack Information: FDF File Containing Timed JavaScript