www.my10sen.com

F-Secure reporting E-mails containing malicious PDF files have been putting computers at risk since Friday. Malicious PDF file called report.pdf, debt.2007.pdf, overdraft.2007.10.26.pdf, or similar, has been massively spammed through e-mail. The PDF is spiced with exploit that downloads ms32.exe, which in turn downloads more components.


This exploit take advantage over unspecified vulnerability in Adobe Acrobat and Reader 8.1 on Windows allows remote attackers to execute arbitrary code via a crafted PDF file, related to the mailto: option and Internet Explorer 7 on Windows XP.The e-mails sent in bulk looked like credit card statements, when such PDF files are viewed on vulnerable machines, they start downloading software from servers in Malaysia or Sweden, which are now being cleaned. This could cause a serious threat as PDF attachments are typically not filtered at e-mail gateways.

Adobe has release patch for this flaw and was made available few days ago but many users have not updated the program. Adobe strongly recommends upgrading to Adobe Reader 8.1.1 or Acrobat 8.1.1 by utilizing the product’s automatic update facility.

To fix this security threat manually, carefully follow the instruction below : -

1. Exit Adobe Reader or Acrobat.
2. Open RegEdit. On Windows, go to Start > Run, type in regedit and click OK.
3. Choose File > Export.
4. Select Local Disk C for the Save in: location.
5. Type backup for File Name.
6. Choose All for the Export Range.
7. Click Save.
8. Navigate to the appropriate registry key:
   NOTE: When editing the key values for Adobe Reader and Acrobat 7.0.9, Regedit will launch a Edit Binary Value window. Be sure to edit the values below using the right panel of the window.Acrobat:
   HKEY_LOCAL_MACHINE\SOFTWARE\Adobe\Adobe Acrobat\7.0\FeatureLockDown\cDefaultLaunchURLPerms

   Reader:
   HKEY_LOCAL_MACHINE\SOFTWARE\Adobe\Acrobat Reader\7.0\FeatureLockDown\cDefaultLaunchURLPerms

9. If tSchemePerms is set as follows:
   version:1|shell:3|hcp:3|ms-help:3|ms-its:3|ms-
   itss:3|its:3|mk:3|mhtml:3|help:3|disk:3|afp:3|disks:3|telnet:3|ssh:3|acrobat:2|mailto:2|file:2
10. To Disable mailto (recommended)
    Modify tSchemePerms by setting the mailto: value to 3:
    version:1|shell:3|hcp:3|ms-help:3|ms-its:3|ms-
    itss:3|its:3|mk:3|mhtml:3|help:3|disk:3|afp:3|disks:3|telnet:3|ssh:3|acrobat:2|mailto:3|file:2
11. To set mailto to prompt
    Modify tSchemePerms by removing the mailto: value:
    version:1|shell:3|hcp:3|ms-help:3|ms-its:3|ms-
    itss:3|its:3|mk:3|mhtml:3|help:3|disk:3|afp:3|disks:3|telnet:3|ssh:3|acrobat:2|file:2
12. Close RegEdit.
13. Restart the application.