PDF javascript exploit (PDF_JavaScript_Exploit)

About this signature or vulnerability

BlackICE Server Protection, BlackICE PC Protection, RealSecure Server Sensor, RealSecure Network, Proventia Server IPS for Linux technology, Proventia Network IPS, Proventia Desktop, Proventia-G 1.1 and earlier, Proventia Network MFS, Proventia Server IPS for Microsoft Windows technology:

This signature triggers when the following two conditions are met: 1) a PDF document contains embedded JavaScript, and 2) the embedded JavaScript triggers a JavaScript event. In conjunction with this event, you will see at least one other JavaScript event triggering, possibly more. This signature allows you to enable blocking or reporting for PDF documents that trigger a JavaScript event, of which you might have otherwise disabled blocking or reporting.


False positives

BlackICE Server Protection, BlackICE PC Protection, RealSecure Server Sensor, RealSecure Network, Proventia Server IPS for Linux technology, Proventia Network IPS, Proventia Desktop, Proventia-G 1.1 and earlier, Proventia Network MFS, Proventia Server IPS for Microsoft Windows technology: This signature triggers only in conjunction with other JavaScript events. See False Positive details for the associated JavaScript events.

False negatives

BlackICE Server Protection, BlackICE PC Protection, RealSecure Server Sensor, RealSecure Network, Proventia Server IPS for Linux technology, Proventia Network IPS, Proventia Desktop, Proventia-G 1.1 and earlier, Proventia Network MFS, Proventia Server IPS for Microsoft Windows technology: This signature will not trigger when a JavaScript exploit is not recognized. See 'PDF_JavaScript_Detected' for triggering an event when JavaScript is detected in a PDF document.

Default risk level

High risk vulnerability  High

Sensors that have this signature

BlackICE Server Protection: 3.6.cqv, BlackICE PC Protection: 3.6cqv, RealSecure Server Sensor: XPU 28.020, RealSecure Network: XPU 28.020, Proventia Server IPS for Linux technology: 28.020, Proventia Network IPS: XPU 28.020, Proventia Desktop: 2160, Proventia-G 1.1 and earlier: XPU 28.020, Proventia Network MFS: XPU 28.020, Proventia Server IPS for Microsoft Windows technology: 2.0.252.2160, Proventia Server IPS for Microsoft Windows technology: 1.0.914.2160

Systems affected

Adobe Acrobat Reader

Type

Unauthorized Access Attempt

Vulnerability description

A .pdf file containing embedded JavaScript that will trigger a JavaScript event has been detected. By persuading a victim to open a specially-crafted PDF document, an attacker could be attempting to execute arbitrary code on the system.

How to remove this vulnerability

This check is for informational purposes only.

References

ISS X-Force
PDF javascript exploit
http://www.iss.net/security_center/static/40407.php