Guest

Cisco Security

Cisco Security

Obfuscated PDF Document

 
Signature ID: 23099/1
Original Release:S751
Release:S751 (download)
Original Release Date:2013 October 30
Latest Release Date:2013 October 30
Default Enabled:True
Default Retired:False
Alarm Severity:High
Fidelity:85 

Description

This signature identifies potentially malicious PDF documents by looking for a common form of obfuscation applied to them. If this signature fires, it may indicate an attempt at exploiting a PDF reader or browser vulnerability, and attempting to hide the fact it is doing so.This signature is a lighter-weight version of the Obfuscated PDF Document signature (23099-0). This signature uses less memory and CPU processing, but may match non PDF traffic.

Recommended Filter

There are no suggested filters.

Benign Triggers

This signature is less precise than 23099-0, and does not anchor on the start of a PDF document. Therefore, it's possible that this signature may fire on traffic that is not a PDF document. This signature does not obsolete 23099-0 because of the difference in how precise the signature operates on matching traffic. It is up to the device administrator as to which signature they prefer to use.

IntelliShield Alerts

IntelliShield ID Headline VersionCVSS ScoreLast Published
19605Script Obfuscation in Adobe Reader and Acrobat PDF Exploits12009 December 16 16:09 GMT
19948Adobe Reader and Acrobat Arbitrary Code Execution Vulnerability39.3/7.32010 March 15 12:58 GMT
21341Adobe Reader and Acrobat CoolType.dll Remote Buffer Overflow Vulnerability49.3/7.72010 October 07 13:19 GMT

Download

To download this and other IPS update files, please go to Cisco Secure Software Download.

LEGAL DISCLAIMER
THE INFORMATION ON THIS PAGE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION CONTAINED HEREIN, OR MATERIALS LINKED FROM THE DOCUMENT, IS AT YOUR OWN RISK. INFORMATION IN THIS DOCUMENT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
Powered by  IntelliShield