Using ExeFilter against PDF exploits and zero-days such as CVE-2009-4324

This short article shows how ExeFilter can be used to disable JavaScript in PDF files, which is effective against many Adobe Reader exploits discovered in 2009, including the recent zero-day CVE-2009-4324.

PDF documents containing a new zero-day exploit for Adobe Reader 9.2 were captured in the wild in December 2009, and the corresponding vulnerability (CVE-2009-4324) was announced by Adobe on the 14th December. DEP seems to mitigate public exploits, but some claim to bypass it. A patch (Adobe Reader 9.3) was only published on the 12th January 2010... Which left a one month window, when the only solution was to disable PDF JavaScript on all computers, or to deploy everywhere the new "JavaScript Blacklist Framework" provided by Adobe. Fortunately, antivirus engines were catching up quickly and signatures were being provided, sometimes after a few days. But it is also known that these signatures may sometimes be evaded using variants of an exploit. Detecting generic exploits in PDF is far more complex than looking for static malware signatures.

Since this vulnerability is exploited using JavaScript in PDF, tests have shown that malicious PDF documents cleaned by ExeFilter become innocuous. This was also the case with previous vulnerabilities such as CVE-2009-0927. Therefore, disabling JavaScript in all incoming PDF documents with such a tool on gateways is an effective solution against this type of zero-days, without requiring signatures.

You may test it easily by yourself by following these steps:

  1. Download a CVE-2009-4324 sample exploit generator from http://www.securityfocus.com/data/vulnerabilities/exploits/37331.py
  2. Run "python 37331.py exploit.pdf" to generate a sample PDF. (you may open it on a vulnerable system without DEP to check it works)
  3. Clean it using "python ExeFilter.py exploit.pdf -o cleaned.pdf".
  4. Open the file cleaned.pdf on a vulnerable machine: since Javascript is disabled in the file, the exploit is not triggered.

See the ExeFilter page and documentation for more details.