PDF javascript exploit (PDF_JavaScript_Exploit)

About this signature or vulnerability

Proventia Network IPS, Proventia Desktop, BlackICE PC Protection, BlackICE Server Protection, RealSecure Network, RealSecure Server Sensor, Proventia-G 1.1 and earlier, Proventia Network MFS, Proventia Network IDS, IBM Security Server Protection for Windows, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware:

This signature triggers when the following two conditions are met: 1) a PDF document contains embedded JavaScript, and 2) the embedded JavaScript triggers a JavaScript event. In conjunction with this event, you will see at least one other JavaScript event triggering, possibly more. This signature allows you to enable blocking or reporting for PDF documents that trigger a JavaScript event, of which you might have otherwise disabled blocking or reporting.


False positives

Proventia Network IPS, Proventia Desktop, BlackICE PC Protection, BlackICE Server Protection, RealSecure Network, RealSecure Server Sensor, Proventia-G 1.1 and earlier, Proventia Network MFS, Proventia Network IDS, IBM Security Server Protection for Windows, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware: This signature triggers only in conjunction with other JavaScript events. See False Positive details for the associated JavaScript events.

False negatives

Proventia Network IPS, Proventia Desktop, BlackICE PC Protection, BlackICE Server Protection, RealSecure Network, RealSecure Server Sensor, Proventia-G 1.1 and earlier, Proventia Network MFS, Proventia Network IDS, IBM Security Server Protection for Windows, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware: This signature will not trigger when a JavaScript exploit is not recognized. See 'PDF_JavaScript_Detected' for triggering an event when JavaScript is detected in a PDF document.

Default risk level

High risk vulnerability  High

Sensors that have this signature

Proventia Network IPS: XPU 28.020, Proventia Desktop: 2160, BlackICE PC Protection: 3.6cqv, BlackICE Server Protection: 3.6.cqv, RealSecure Network: XPU 28.020, RealSecure Server Sensor: XPU 28.020, Proventia-G 1.1 and earlier: XPU 28.020, Proventia Network MFS: XPU 28.020, Proventia Network IDS: XPU 28.020, IBM Security Server Protection for Windows: 2.1.14.2400, IBM Security Server Protection for Windows: 2.0.252.2160, IBM Security Server Protection for Windows: 1.0.914.2160, Proventia Server IPS for Linux technology: 28.020, Virtual Server Protection for Vmware: 1.0

Systems affected

Adobe Acrobat Reader

Type

Unauthorized Access Attempt

Vulnerability description

A .pdf file containing embedded JavaScript that will trigger a JavaScript event has been detected. By persuading a victim to open a specially-crafted PDF document, an attacker could be attempting to execute arbitrary code on the system.

How to remove this vulnerability

This check is for informational purposes only.

References

ISS X-Force
PDF javascript exploit
http://www.iss.net/security_center/static/40407.php