Adobe Flash Update

Adobe has issued a critical software update for its Flash Player software that fixes at least a dozen security vulnerabilities in the widely-used program. Updates are available for Windows, Mac, Linux,  Solaris and Android versions of Flash and Adobe Air.

The update fixes flaws present in Flash Player versions 11.0.1.152 and earlier for Windows, Mac, Linux and Solaris systems, and in Flash11.0.1.153 and earlier for Android. The vulnerabilities are rated critical, meaning they could give hacked or malicious Web sites an easy way to install software on your machine.

Adobe’s advisory says users of Flash version 11.0.1.152 and earlier should update to v. 11.1.102.55; those using Flash v. 11.0.1.153 and earlier versions for Android should update to Flash Player 11.1.102.59. Users of AIR 3.0 for Windows, Macintosh, and Android should update to AIR  v. 3.1.0.4880. The company says it is not aware of any active attacks against these flaws at this time.

To find out if you have Flash and which version may be installed, visit the About Flash page. Windows users who browse the Web with Internet Explorer and another browser may need to apply the Flash update twice, once using IE and again with the other browser (Google Chrome users should already have the latest version of Flash). Again, check the About Flash page with each browser you use to see whether you need to apply this update. To avoid using Adobe’s Download Manager, which tends to add little “extras” if you’re not careful, IE users can grab the latest update directly from these links; 32-bit IE installer, and 64-bit IE installer. Firefox and Opera users can grab the 32-bit installer here and the 64-bit version here. If you don’t know which one you need, you let Adobe’s site choose for you (although the download manager may try to foist other software unless you uncheck pre-checked options).

The installer for the latest Adobe Air version is available from this link.

Some Flash components also are bundled with Adobe Reader, so I asked Adobe whether current versions of Reader also were exposed to these vulnerabilities. Adobe spokeswoman Wiebke Lips confirmed that some of the issues fixed in today’s Flash Player update do impact the Authplay.dll component that ships with Adobe Reader and Acrobat X (10.x) and 9.x for Windows and Mac. Lips said Adobe feels comfortable that its sandboxing technology built into the latest versions of Reader will protect users until January, when the company expects to issue the next quarterly update for Reader.

“These issues will be resolved in the next quarterly security update for Adobe Reader and Acrobat, currently scheduled for January 10, 2012,” Lips wrote. “Note that the Authplay.dll component is part of the ‘sandbox’ for users of Adobe Reader X (Protected Mode) and Acrobat X (Protected View), which would protect against potential exploits.”

November 11th, 2011 | dsmith | Categories: Adobe, Adobe Air, Adobe Flash, Adobe PDF, Firefox, Google Chrome, Internet Explorer, Linux, MacOS, Patch, Updates, Windows | Comments: Comments Off

Mac Flashback Trojan

The security by obscurity myth is finally blown out of the water…Mac’s are pretty much mainstream these days and it yet again proves my points about Mac virus resistance, it may be virus resistant, but unless you upgrade the users, no platform is Trojan proof.

Apple has updated the malware protection built into its Mac operating system to flag a recently discovered trojan that hijacks users’ machines by masquerading as a benign document. Malware disguised as an Adobe Flash installer, meanwhile, remained unchecked.

The file quarantine, which Apple snuck into a prerelease version of Snow Leopard in 2009, was updated to include a definition for Trojan-Dropper: OSX/Revir.A, which antivirus provider F-Secure disclosed on Friday. According to an update on F-Secure’s blog, the malware disguises itself as a PDF file in an attempt to trick users into clicking on it.

“The malware then proceeds to install a backdoor, Backdoor:OSX/Imuler.A, in the background,” stated the F-Secure analysis, which was posted Monday. “As of this writing, the C&C of the malware is just a bare Apache installation and is not capable of communicating with the backdoor yet.”

By Tuesday morning, Apple had added a definition for Revir.A into the file quarantine feature, our review of a Mac running OS X Lion, aka 10.7, has shown. By our count, it’s the 10th definition to be included, although two of them cover malware with the identical label of “OSX.HellRTS.” The definitions are stored in a file called XProtect.plist tucked away in the /System/Library/CoreTypes.bundle/Contents/Resources/ folder.

Apple engineers pushed out the update around the same time that a new trojan was discovered menacing Mac users. According to Mac antivirus provider Intego, the Flashback trojan is built on a sophisticated code base that installs a backdoor on infected machines, and covers its tracks by using encryption when communicating with remote servers.

“The backdoor is able to download further software, but, for now, we are not seeing this activity,” Intego’s analysis stated. “It is also able to update itself, and creates an Sha1 hash of the malware to see if it has changed. If the Sha1 of the software version on the server is different from that installed, this means that an update is necessary.”

With the explosive growth of Macs, iPhones, and iPads, malware purveyors have finally begun targeting Apple products after years of almost exclusive focus on Microsoft users. Earlier this year, an outbreak of fraudulent Mac antivirus products ignited a huge spike in support calls from frantic Mac users who had been tricked into installing a piece of malware called MacDefender. Apple eventually added definitions for it to its file quarantine, as well.

I think the difference between Microsoft and Apple here is that Microsoft weren’t the ones to create a condescending “I’m a PC” commercial insinuating that their operating system was virus free…With the amount of braindead Apple fans who claim that Apple Virus / Malware is an oxymoron, that 30 second spot could turn out to be some of history’s most damaging tech-related FUD.

Early I wrote that actually most targeted vulnerabilities are in Flash, PDF or Java these days via Internet Explorer (IE) and once you take IE out of the equation, Windows does quite well, especially given the rich rewards and vast selection of low-hanging fruit users can offer.

November 3rd, 2011 | dsmith | Categories: Adobe Flash, Adobe PDF, Apple, Exploit, F-Secure, Firefox, Flaw, Internet Explorer, iPad, iPhone, Java, MacOS, Malware, OS X, Patch, Trojan, Virus | Comments: Comments Off

How Windows gets malware

When a Microsoft Windows machine gets infected by viruses/malware it does so mainly because users forget to update the Java, Adobe Reader/Acrobat and Adobe Flash. This is revealed by a survey conducted by CSIS Security Group A/S. This group has been collecting data for 3 months on actual infections of computers by drive-by attacks on browsers.  Drive-by attacks are when you go to an innocent website and get a virus anyway.  This is typically from ads or hacked links.

Basis of the study

CSIS has over a period of almost three months actively collected real time data from various so-called exploit kits. An exploit kit is a commercial hacker toolbox that is actively exploited by computer criminals who take advantage of vulnerabilities in popular software. Up to 85 % of all virus infections occur as a result of drive-by attacks automated via commercial exploit kits.

The purpose of this study is to reveal precisely how Microsoft Windows machines are infected with malware and which browsers, versions of Windows and third party software that are at risk.

CSIS monitored more than 50 different exploit kits on 44 unique servers / IP addresses. Figures come from the underlying statistical modules, thereby ensuring an as precise overview of the threat landscape as possible. The statistical material covers all in all more than half a million user exposures out of which as many as 31.3 % were infected with the virus/malware due to missing security updates.

Among the vulnerabilities we have observed abused by the monitored exploit kits, we find:

CVE-2010-1885 Microsoft Help & Support HCP
CVE-2010-1423 Java Deployment Toolkit insufficient argument validation
CVE-2010-0886 Java Unspecified vulnerability in the Java Deployment Toolkit component in Oracle Java SE
CVE-2010-0842 Java JRE MixerSequencer Invalid Array Index Remote Code Execution Vulnerability
CVE-2010-0840 Java trusted Methods Chaining Remote Code Execution Vulnerability
CVE-2009-1671 Java buffer overflows in the Deployment Toolkit ActiveX control in deploytk.dll
CVE-2009-0927 Adobe Reader Collab GetIcon
CVE-2008-2992 Adobe Reader util.printf
CVE-2008-0655 Adobe Reader CollectEmailInfo
CVE-2006-0003 IE MDAC
CVE-2006-4704 Microsoft Visual Studio 2005 WMI Object Broker Remote Code Execution Vulnerability
CVE-2004-0549 ShowModalDialog method and modifying the location to execute code

The report above describes those operating systems, browsers, and applications that are vulnerable in the real world scenarios they have observed.  Here it is slimmed down:

Internet Explorer is the worst offending browser. Mozilla is second.
Windows XP, Windows 7, and Windows Vista are the worst offending operating systems.
Java, Adobe Reader, and Adobe Flash are the worst offending applications.

Salient point is that, fully updated and patched installs let 70% of the infections through. Mainly because the technology is reactive. Even more salient is that only 13% of the successful infections relied on software that was Windows only (10% were IE exploits, 3% were Windows Help exploits) All you folks encourgaging your friends and families to buy Macs for the specific reason of their security are in for a world of hurt in a few years when Mac hits ~30+% market share. Kits are already starting to appear.

Conclusion: 99.8 % of all virus/malware infections caused by commercial exploit kits are a direct result of the lack of updating five specific software packages:

Java JRE 37%
Adobe Reader/Acrobat 32%
Adobe Flash 16%
MS Internet Explorer 10%
Windows HCP (Help) 3%
Apple Quicktime 2%

For the sake of security, I would not run Java, Adobe anything or Internet Exploiter.

We don’t want you getting viruses because it’s difficult to remove and more importantly, expensive and time consuming.

1. Uninstall java. Most end users never have a need for it and don’t update it.

2. Use Chrome to read PDFs or use Foxit. No need for Adobe, but to be fair Adobe’s new sandbox model in version X is resistant to viral infections and exploits.

3. Update flash as often as it says or switch to Chrome.

4. Use ESET NOD32 & HitmanPro for protection

October 6th, 2011 | dsmith | Categories: Adobe, Adobe Flash, Adobe PDF, Attack, Browser, Bugs, Exploit, Flaw, Internet Explorer, Java, Malware, Microsoft, Patch, Recovery, Repair, Security, Virus, Vulnerability, Windows, Windows 7, Windows Vista, Windows XP | Comments: Comments Off

Software updates: Adobe

Adobe issued it’s monthly update last week, to eliminate 13 security flaws in its PDF Reader and Acrobat products. Adobe’s patches for Reader and Acrobat correct critical vulnerabilities in the programs that could be exploited by attackers just by convincing users to open a booby-trapped file. Updates are available for Adobe Reader X (10.1) and earlier versions for Windows, Macintosh, Adobe Reader 9.4.2 and earlier versions for UNIX, and Adobe Acrobat X (10.1) and earlier versions for Windows and Macintosh.

Affected software versions

• Adobe Reader X (10.1) and earlier 10.x versions for Windows and Macintosh
• Adobe Reader 9.4.5 and earlier 9.x versions for Windows and Macintosh
• Adobe Reader 8.3 and earlier 8.x versions for Windows and Macintosh
• Adobe Acrobat X (10.1) and earlier 10.x versions for Windows and Macintosh
• Adobe Acrobat 9.4.5 and earlier 9.x versions for Windows and Macintosh
• Adobe Acrobat 8.3 and earlier 8.x versions for Windows and Macintosh

Severity rating
Adobe categorizes these as critical updates.

Acrobat users should check out the Adobe security advisory. Heads up for users of older versions of Reader and Acrobat: support for Adobe Reader 8.x and Acrobat 8.x for Windows and Macintosh will end on November 3, 2011.

September 20th, 2011 | dsmith | Categories: Adobe, Adobe Flash, Adobe PDF, Exploit, Flaw, Macintosh, Maintenance, Patch, PDF, Repair, Security, Vulnerability, Windows | Comments: Comments Off

Proactive protection for your computer and Java exploits

A few months back, I posted some demographics on current malware. In that post, I stated that one should not use Internet Explorer (IE) for browsing on the web and that anti-virus solutions are becoming irrelevant. The software being used to just paper over flaws in Windows, is just not working and becoming evident on an increasing volume.

So to recap:

  • If you can refrain from using Internet Explorer, Java, and Adobe Flash and Reader on a Windows operating system, then you can successfully decrease your percentage of getting hosed.
  • 75% of malware is missed by anti-virus software.
  • 75% of browser infections are caused by browsing with Internet Explorer.

Remember, these are not absolute guarantee’s that you will not be owned in some point. Roaming the Internet these days can be a scary venture, most people are oblivious to the risks that they take.

Speaking about Java and current rates of infection of Windows based operating systems. Here is a screenshot of current systems, showing the rate of exploitation, notice Windows 7 and the list of browsers. Running any browser on Windows these days will get you taken to the cleaners eventually.

On Dec. 29, the SANS Internet Storm Center warned about a wave of Java attacks that were apparently using this social engineering approach to great effect. The attacks were taking advantage of built-in Java functionality that will prompt the user to download and run a file, but using an alert from Java (if a Windows user accepts, he or she is not bothered by a separate prompt or warning from the operating system).

Researchers at Kaspersky Lab also have tracked a sizable uptick in attacks leveraging social engineering via Java. Vyacheslav Zakorzhevsky, a senior malware analyst at the Russian security firm, covered this trend in the company’s December 2010 monthly malware statistics report.

In our November review we wrote about the explosive growth of the Trojan-Downloader.Java.OpenConnection family. These programs act in just the same way as exploits do in the latter stages of a drive-by attack, but instead of using vulnerabilities to download malware to victims’ computers, they employ the OpenConnection method of a URL class.”

Two representatives of Trojan-Downloader.Java.OpenConnection (2nd and 7th places) were among the Top 20 malicious programs detected on the Internet in December. At the height of their activity the number of computers on which these programs were detected in a 24-hour period exceeded 40,000.”

As we just mentioned, all the representatives of the Trojan-Downloader.Java.OpenConnection family, instead of exploiting vulnerabilities, use standard Java functionality to download and run files from the web. This is currently one of the prime download methods for malicious programs written in Java. It appears that until Oracle closes the functionality this family uses to download files its popularity will continue to grow.

The graphic below shows the number computers that Kaspersky found were infected with Trojan-Downloader.Java.OpenConnection in the last six weeks of 2010.

I’m not advocating mass abandonment of Java, but I urge users who have no reason to use this program to get rid of it, particularly on systems that are shared by less careful Web surfers. I have Java installed on a couple of my PCs where a particular software program requires it to run properly, but I have disconnected the Java plugins from the browsers on those systems.

If you’re a Firefox user and a Web site you frequent requires Java, consider installing and using the excellent NoScript extension, which will block Web sites from running Java applets unless you specifically whitelist them.

Java malware, incidentally, is generally known for exploiting vulnerabilities in Java, probably ones patched by Oracle/Sun, but targeting the still-large number of users with old versions. The Trojan-Downloader.Java.OpenConnection family, in contrast, is a simple downloader written in Java. It downloads other malware and executes it. In other words, it’s a social networking attack.

Should you dump Java? It’s not a simple question. Apps and applets which require Java are not quite ubiquitous, but neither are they rare.

Java has become the #1 way for malicious hackers to break into your computer, using Java’s numerous security problems to install malware, viruses, or password stealers. This is a problem for ANY computer with Java installed, PC or Mac.

The worst part is, the vast majority people have NO use for Java on their computer. Java is a relic of the early 2000s, when Java applets added needed functionality to web browsers. It has long been surpassed by other technologies. It is time to remove Java from your computer.

You have 2 options for removing Java from your computer. If you don’t know what Java is, and haven’t seen the Java logo (see image), then you likely have never used it and can remove it once and for all (Option #1 below). If, in the very unlikely event you find that you do need Java sometime in the future, you can always reinstall it from the Java website.

If you have seen the Java logo recently, and aren’t sure if you want to completely remove it, you can disable it from running in your web browser. See Option #2 below.

Here’s how
Option #1: Remove Java Completely
Luckily, this is quite easy. Click on Start -> Settings ->Control Panel -> Add/Remove Programs. Find any entries that begin with “Java 2″ – it should be something like “Java Runtime Environment”. Remove it and then restart your computer. All done!

Option #2: Disable Java in your Web Browser
This depends on which web browser you use.

Firefox:
Click on Tools in the Firefox menu
Choose Add-ons
Choose the Plugins tab
Click on any entries that start with Java
Click Disable

Internet Explorer:
Click on Tools in the IE menu
Choose Internet Options
Click on the Programs tab, then click on Manage Add-ons
Click on any entries that start with Java
Click Disable

Google Chrome:
In the address bar, type: “about: plugins”
Find the Java plugins and click Disable

Safari:
Click on the Edit menu and choose Preferences
Choose the Security icon
Uncheck the box that says “Enable Java”

January 15th, 2011 | dsmith | Categories: Adobe Flash, Adobe PDF, Anti-virus, Apple, Attack, Browser, Exploit, Flaw, Internet Explorer, Java, Malware, Microsoft, Opera, Security, Virus, Vulnerability, Windows, Windows 7, Windows Vista, Windows XP | Comments: No Comments

Google quashes 13 Chrome bugs, adds PDF viewer

Google on Thursday patched 13 vulnerabilities in Chrome as it shifted the most stable edition of the browser to version 8.

Chrome 8 also debuted Google’s built-in PDF viewer shown below, as an alternative to the bug-plagued Adobe Reader plug-in, and included support for the still-not-launched Chrome Web Store.

The 13 flaws fixed in Chrome 8.0.552.215 are in a variety of components, including the browser’s history, its video indexing and the display of SVG (scalable vector graphics) animations.

Four of the baker’s dozen are tagged as “high” level bugs, Google’s second-most-serious rating, while five are pegged “medium” and four are labeled as “low.”

Google paid $4,000 in bounties to five researchers for reporting vulnerabilities. Since mid-August, Google has handed out over $29,000 in bug bounty payments.

Among the researchers credited with submitting flaws was Nirankush Panchbhai, who works inMicrosoft’s vulnerability research group. Panchbhai was not one of the researchers paid a bounty.

Per its practice, Google locked its bug tracking database to bar outsiders from reading the technical details of the vulnerabilities. The company usually unlocks access to a flaw at a later date — sometimes within weeks, often only after months have passed — to give users time to update before the hacker-useful information goes public.

The update to the “stable” build — Google maintains three separate “channels” for Chrome, ranging from stable to “beta” to “dev” — also included an integrated PDF viewer, which Google first introduced to the dev channel last summer. The viewer renders PDF documents as HTML-based pages, and doesn’t require Adobe Reader’s free browser plug-in, or any of the alternatives.

The PDF viewer operates within Chrome’s “sandbox,” a security feature that isolates processes to make it more difficult for malware to affect the browser or infect the computer.

Google also added support for the Chrome Web Store to the browser with version 8. Multiple references to the store, which Google announced last May but has yet to take public, appeared in the Chrome 8 release notes.

That support may mean Google is close to opening the Web Store to customers, who will be able to browser, purchase and download Web applications, including extensions, to run in Chrome and other standards-compliant browsers.

Developers have had access to early versions of the Web Store for several months, but Google has only promised to publicly launch it before the end of the year.

Thursday’s update to version 8 came a little more than six weeks after Google released Chrome 7 to the stable channel. Previously, the company said it would refresh the browser every 6-8 weeks.

If the past is any indication, most users will be running Chrome 8 within a couple of weeks.

Last month, Web analytics company Net Applications reported that Chrome’s “silent” update mechanism — unlike other browsers, Chrome automatically updates without any user interaction — had “almost completely replaced” version 6 with Chrome 7 less than two weeks after the latter’s Oct. 19 debut.

Earlier this week, Net Applications reported that Chrome’s global share of the browser usage market stood at a record 9.3%.

On Wednesday, Google updated the Windows dev build of Chrome to include a sandbox that shields users from exploits of Adobe Flash Player vulnerabilities.

December 4th, 2010 | dsmith | Categories: Adobe PDF, Bugs, Chrome, Google, Google Chrome, Microsoft, PDF, Windows | Comments: No Comments

Aurora Attack — Resistance Is Futile, Pretty Much

“Do you have branch offices in China? iSec has published a new report (PDF) outlining the severity of the attacks on Google.cn, allegedly by the Chinese government, dubbed ‘Aurora’ attacks. Up to 100 companies were victims, and some are speculating that resistance to such attacks is futile. The report lays out the shape of the attacks — which were customized per-company based on installed vulnerable software and antivirus protection: ’1. The attacker socially engineers a victim, often in an overseas office, to visit a malicious website. 2. This website uses a browser vulnerability to load custom malware on the initial victim’s machine. 3. The malware calls out to a control server, likely identified by a dynamic DNS address. 4. The attacker escalates his privilege on the corporate Windows network, using cached or local administrator credentials. 5. The attacker attempts to access an Active Directory server to obtain the password database, which can be cracked onsite or offsite. 6. The attacker uses cracked credentials to obtain VPN access, or creates a fake user in the VPN access server. 7. At this point, the attack varies based upon the victim. The attacker may steal administrator credentials to access production systems, obtain source code from a source repository, access data hosted at the victim, or explore Intranet sites for valuable intellectual property.’ The report also has pages of recommendations as well as lessons learned, which any systems administrator — even those inside the US — should read and take note of.”

Major attack vector: Acrobat Reader. Security company publishes intrusion analysis in pdf format. If you clicked it, you may be part of the problem.

Major attack preventer: Use either FoxitPDF reader or Google has long offered Gmail users the ability to open PDF attachments as HTML files without downloading the file and firing up Adobe Acrobat, Foxit or any other PDF viewer. But you lose a lot in the translation when you convert a PDF file to HTML.

Now Google has begun allowing users to open PDF files using the Google Docs PDF viewer. That means you can view PDFs sent to your email inbox without downloading them and without losing the formating, graphics, or other elements that make PDFs do darn fun to look at.

March 2nd, 2010 | dsmith | Categories: Adobe PDF, Attack, Exploit, Flaw, Google, Security, Vulnerability | Comments: No Comments

Adobe, just as flawed as Microsoft

Adobe is urging users of its PDF Reader and Acrobat software to install an update that fixes a couple of critical security holes in the products. The patches come amid news that booby-trapped PDF files were responsible for roughly 80 percent of the exploits detected in the 4th quarter of 2009.

The latest update brings Adobe Reader to version 9.3.1, and fixes a pair of vulnerabilities that Adobe has labeled “critical,” which means the flaws could be used to install malicious software on vulnerable systems. Updates are available for Windows, Mac and Linux versions.


If you use Adobe Reader, please apply this update. Then, take a moment to turn off Javascript, the feature in Reader that is most exploited by attackers. To do this, follow these instructions:

1. Launch Acrobat or Adobe Reader.
2. Select Edit>Preferences
3. Select the JavaScript Category
4. Uncheck the ‘Enable Acrobat JavaScript’ option
5. Click OK

Better yet, consider using an alternative PDF reader, such as the free Foxit Reader. I also disable Javascript in Foxit, mainly because I find I don’t need it.

Earlier this week, Web security firm ScanSafe released a report (.pdf !) showing that roughly 80 percent of the Web-based exploits it detected in the last three months of 2009 attacked Adobe Reader vulnerabilities. Add Adobe Flash vulnerabilities into the mix, and the two programs made up the lion’s share of the Web exploits ScanSafe detected in Q409.


Source: ScanSafe


For its part, Firefox maker Mozilla at the end of last year began tracking a huge uptick in the number of Firefox crashes due to Adobe Reader. As some posters to this Mozilla Bug Database entry posit, the crashes were almost certainly due to increased exploitation of the Adobe Reader zero-day vulnerability that Adobe finally patched on Jan. 12, weeks after evidence surfaced that criminal hackers were exploiting the flaw in targeted attacks.

Update, 4:06 p.m. ET: If you decide to do without Adobe Reader and uninstall it, you might want to nix the Adobe Download Manager as well. Researcher Aviv Raff points to some nifty work he’s done which shows that Adobe’s Download Manager — which ships with all new versions of Flash and Reader — can be forced to reinstall an application that’s been removed, such as Reader. According to Raff, a Web site could hijack the Adobe Download manager to download and install any of the following:

Adobe Flash 10

  • Adobe Reader 9.3
  • Adobe Reader 8.2
  • Adobe Air 1.5.3
  • ARH tool – allows silent installation of Adobe Air applications
  • Google Toolbar 6.3
  • McAfee Security Scan Plus
  • New York Times Reader (via Adobe Air)
  • Fanbase (via Adobe Air)
  • Acrobat.com desktop shortcut

Raff writes: “So, even if you use an alternative PDF reader, an attacker can force you to download and install Adobe Reader, and then exploit the (yet to be patched, but now known) vulnerability. The attacker can also exploit 0-day vulnerabilities in any of the other products mentioned above.” Read more on his findings at this link here.

February 18th, 2010 | dsmith | Categories: Adobe PDF, Linux, MacOS, Microsoft, Mozilla, Windows | Comments: No Comments

Serious IE and Windows flaws left to fester

Microsoft won’t fix vulnerabilities in the latest versions of Internet Explorer or Windows during its regularly scheduled patch release on Tuesday, meaning users will have to wait at least another month to get updates that correct the security risks.

The software maker on Thursday said January’s Patch Tuesday will include a single bulletin that fixes a vulnerability that carries a severity rating of “critical” in Windows 2000 and “low” in all other versions of the operating system. That’s one of the slimmest ever offerings since Microsoft began the practice of releasing security fixes on the second Tuesday of every month.

That may lighten the load on IT admins, but it also means potentially serious vulnerabilities known to affect Internet Explorer 8 and Windows 7 will be allowed to fester for at least another 28 days.

As reported previously, the IE 8 bug can enable attacks against people browsing websites that are otherwise safe to view. The flaw can be exploited to introduce XSS, or cross-site scripting, exploits on web-pages, allowing attackers to inject malicious content and code. Ironically, it resides in a feature Microsoft added to harden the browser against that very type of attack.

There are no reports of hackers targeting the vulnerability, but several months ago, Google began overriding the XSS protection on many of its web properties citing a “significant flaw” in the IE8 feature. Jeremiah Grossman, a web application expert at WhiteHat Security, offers guidance here on whether webmasters should follow Google’s lead.

Also remaining unfixed is a bug that allows an attacker to completely lock up systems running Vista/7 and Windows 2008R2. The flaw, which resides in the OSes’ SMB, or server message block, can be triggered remotely by sending malformed traffic that specifies incoming packets that are smaller or larger than they actually are. SMB is a network protocol used to provide shared access to files and printers.

Microsoft’s Jerry Bryant said the company is still working on a fix for the SMB flaw and is not aware of any in-the-wild attacks that target the weakness.

Also coming Tuesday is an update for a critical vulnerability in Adobe’s Reader and Acrobat applications that allow attackers to remotely execute malicious code on people who open booby-trapped PDF files. That vulnerability is being actively exploited in attacks aimed at specific individuals.

January 9th, 2010 | dsmith | Categories: Adobe PDF, Internet Explorer, SMB2, Windows 7, Windows Vista | Comments: No Comments

Active Exploitation Of Unpatched PDF Vulnberability

Fairly wide-spread attacks based on the latest vulnerability in Adobe PDF Reader have been spotted by Symantec, they appear to be variants on old attacks but still can be very effective.

It’s not the first time this has happened, back in February 2009 Hackers targeted a 0-day exploit in PDF Reader.

With one variant of this current attack seeing 34,000 detections on Symantec’s network alone, it could be considered fairly widespread.

A week before Adobe is scheduled to patch a critical vulnerability in its popular PDF software, hackers are actively exploiting the bug with both targeted and large-scale attacks, a security researcher said today.

The SANS Institute’s Internet Storm Center (ISC) reported Monday that they’d received samples of a new rigged PDF document that hijacked PCs using a bug Adobe acknowledged Dec. 14 . Later last month, Adobe said it would not patch the bug until Jan. 12. In his write-up of the sample, ISC analyst Bojan Zdrnja called the attack PDF “sophisticated” and its use of egg-hunt shellcode “sneaky.”

“Egg-hunt shellcode” is a term for a multi-stage payload used when the hacker can’t determine where in a process’ address space the code will end up.

Today, Joshua Talbot, security intelligence manager at Symantec, confirmed that the malicious PDF exploited the Adobe Reader and Acrobat vulnerability, but unlike Zdrnja, said it wasn’t out of the ordinary. “It’s not particularly novel or sophisticated,” Talbot said.

It seems the solution is the same as it has always been, disable JavaScript support in PDF Reader. But honestly, how many non-tech savvy users will do that? Or even know HOW to do that?

Our recommendation of course is always to use Foxit PDF Reader and avoid these issues all together.

Which I have of course recommended since 2008 back when Adobe PDF Reader was getting pwned 2 years ago.

All the maker of the recently-discovered exploit did, Talbot added, was take code published in a 2004 research paper and make minor modifications. “These techniques aren’t new or clever, but the same things that all attackers are doing,” Talbot argued.

Although the malicious PDF described by ISC has been seen in only limited numbers — designed for high-profile targets, such as company executives or personnel with access to network passwords — Symantec has monitored bigger attacks exploiting the PDF bug. One attack generated more than 34,000 detections on Symantec’s global detection network, peaking on Dec. 31 before falling sharply.

“We’re definitely seeing activity out there, since the vulnerability is unpatched,” said Talbot. When asked to put that attack on the size scale, Talbot answered, “That puts it in the class of being actively exploited. It shows that there’s both going on … that attackers are crafting one-off exploits for their own purposes, and that there are people who are trying to distribute exploits to as many people as possible.”

Hopefully Adobe will pull the patch forward seen as though this is being actively exploited and push the patch out to users ASAP.

It’s currently stated that Adobe will release the patch on January 12th at their support site, which thankfully isn’t too far off.

January 8th, 2010 | dsmith | Categories: Adobe PDF, Exploit | Comments: No Comments