Adobe JBIG2 Buffer Overflow
In case you haven’t seen this, it’s being exploited in the wild with a number of blogs talking about the specific details of the vulnerability. It’s pretty serious because of the very large presence of the Acrobat Reader across a wide range of OS’.
You can learn more about the vulnerability at the following sources:
Just like every other browser-based exploit, this one is pretty tough on DPI and IPS devices since it’s non-trivial to write a signature to catch all variations. We’ve added a packet capture on pcapr to illustrate the point. The pcap was generated by running the exploit to generate the PDF and then inserting it into an HTTP stream with Transfer-Encoding set to chunk (64-byte chunks) with the TCP segments broken out into 64-byte segments. Unless your IPS does chunked decoding, it probably won’t pick it up. Given that the server hosting the malicious PDF has full control of the delivery, it’s easy to set it up to evade most signatures. Throw in Content-Encoding of gzip or deflate, then it gets pretty damn hard to detect this vulnerability.