Potential Adobe Reader, Acrobat, and Flash Player issue

Adobe Flash zero-day attack underway; Harden PDF Reader immediately

Zero-day PDF Attack Goes After Flash Flaw

YA0D (Yet Another 0-Day) in Adobe Flash player

 

Next-Generation Flash Vulnerability

 

Adobe is taking an enormous beating from the malware community. But then, they seem to have coded software with all the security of Swiss cheese.

Solution: disable Flash, disable PDF plugin, don't open untrusted PDFs.

 

Just as a precaution, they tell you to disable a *.dll. I saw it on a website, but I can't remember which. I'll dig it up again

 

US CERT says:

http://www.us-cert.gov/current/index.html#adobe_reader_acrobat_and_flash

 

Replace adobe reader with foxit reader.
Replace adobe flash with maybe one day

 

Code for the exploit has been posted. It's pretty much the same as has been used in previous exploits. The user is redirected from a compromised legitimate site to another site with this code:

First, we see that javascript is required to start things:

Code:

<script>

The exploit contains code to catch users with different browsers. As has been mentioned by Windchild,
disabling plugins (activeX) prevents the PDF file from loading.

For IE users:

Code:

if(navigator.userAgent.[B][COLOR="DarkRed"]indexOf('MSIE'[/COLOR][/B]) != -1)

obj = new [B][COLOR="DarkRed"]ActiveXObject(PDF[/COLOR][/B][i])

if (obj)

<[B][COLOR="DarkRed"]i frame src=hereEvil.pdf[/COLOR][/B]></i frame>');

Now, the Flash exploit:

Code:

obj = new [B][COLOR="DarkRed"]ActiveXObject('ShockwaveFlash.[/COLOR][/B]ShockwaveFlash')

<[B][COLOR="DarkRed"]i frame src=sinceDummyMiddle.swf[/COLOR][/B]></i frame>');

For non-IE browsers that use plugins:

Code:

if(([B][COLOR="DarkRed"]plugin.indexOf('Adobe Acrobat[/COLOR][/B]') != -1) || 

<[COLOR="DarkRed"][B]i frame src=hereEvil.pdf[/B][/COLOR]></i frame>');

And the Flash component:

Code:

if([COLOR="DarkRed"][B] plugin.indexOf('Flash'[/B][/COLOR]) != -1)

<[COLOR="DarkRed"][B]i frame src=sinceDummyMiddle.swf[/B][/COLOR]></i frame>');

Finally, from the sans.org Diary cited by MrBrian:

Any security that blocks unauthorized executables will intercept at this point.

At this moment Foxit is not targeted, but it has been in the past, so using Foxit is no guarantee that another exploit won't surface.

​

Regarding plugins: they are very useful and convenient, since the user is not prompted to Save/Open the file. Rather, the file opens automatically in the browser. This, of course, is a huge security risk.

The safer way is to be prompted to Open/Save a file. Then, the user is presented with the same scenario as when receiving an email with attachment:

To Open or Not To Open: That is the question. ​

----
rich

 

Interesting post Rmus, inspired me to do some poking around with Firefox. I found the default control for my PDF, which is Foxit, I didn't realise you could alter the settings. Might be of use to anyone else.

for Firefox, click Tools/Options/Applications/find your PDF tool/click the arrow/drop down options should appear.

I don't have IE set up for PDF so unable to tell you those.

Edit: Thinking about it, is the Always ask, just literally asking to use Foxit, or to download the PDF file ... anyone know ?

 

Yet foxit doesn't quite appear to be coded by monkeys, does it?

 

Hmmm well changing the default action for Foxit to Ask just seems to crash Firefox more than usual. Just doesn't appear to do anything. No dialogue box appears at any point.

Edit: DefenseWall was playing up, was blocking Foxit. The dialogue appears and gave me the option to Choose which PDF i'd like to use to open the document.

clicking Always Ask is gives you the option to flick between safe PDF (possibly Foxit) and your not so safe (Adobe), depending where you are browsing at the time.

 

Try this --> go to Tools>>Add-ons>>Plugins and disable the Foxit plugin. You should then get a dialogue box anytime you click on a link to a PDF.

 

Yeah I just got it to work, thanks anyway. I edited my post as you were probably typing this

Foxit was being blocked by Defensewall for some reason.

 

At least one URL is active, and we can see how the exploit works. It seems to be a package with several exploits. It might depend on which browser is identified. Nothing triggered using Opera 9.64 - I had scripting enabled, so I don't know what happened.

Using IE6, these files are cached, so it looks like a package of exploits:

​

CAV9MQB2.HTM contains this CLSID which refers to the directshow exploit. That exploit does not work on my Win2K system.

Code:

{0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}

The PDF and SWF exploit code was identifiable and is exactly as I posted above. The PDF code did trigger loading the file into the IE browser, but the file would not execute any code:

​

Bojan Zdrnja refers to this file in his sans.org Diary update:

UPDATE 3 (by Bojan):
http://isc.sans.org/diary.html?date=2009-07-22

Mine is an old version of the Reader which evidently the file did not like! A subsequent visit to the site downloaded a different PDF file with the same result. The PDF file was identified as Exploit.Win32.Pidief.bes. You may remember the Pidief family of trojans that surfaced in a wave of PDF exploits earlier this year.

I'm not sure about the SWF file, whether or not that triggered the downloading of malware; but I did get this alert from Anti-Executable -- it may have been an old IE exploit:

​

I downloaded file.exe and it was identified as Trojan-Downloader:W32/Bredolab.AE

Several things can be noted in this exploit:

• Continuing use of 3rd party applications vulnerabilities to serve up malware
  
  
• Packaging of 3 - 5 exploits hoping to snag an unpatched vulnerability, either in a browser (IE) or another application.
  
  
• As in the past, the final payload is a malicious executable, which can be stopped with proper protection against unauthorized executables in place.
  
  
• In past exploits combined in a package, the malware executable is usually the same file in each exploit.

Note that the use of PDF and SWF files does not target Plugins, rather, they target the applications themselves (Acrobat Reader, Flash in this case). The Plugin is just a DLL used as a convenient means of sneaking in the file without the user being aware.

It would seem that with Javascript and Plugins disabled, these types of exploits would fail. But considering the population at large that probably uses these applications in their default settings, that is a huge group of exploitable people, whereas those who frequent forums and keep up with these exploits are in a minority.

How many here have contacted at least one person to warn/advise of this exploit? That is one less person to be exploited!

----
rich

 

Rmus

Well i havn't contacted anyone about this specific issue, but i inform anyone i know, who's interested, how to secure their Browsers & PC's. That's even before adding any AV etc etc !

If more people did then so much the better, i know you do. Bless you SIR.

 

Hi, my antivirus software (Zonealarm) just picked up and quarantined a virus called: Exploit.Win32.Pidief.bes. After a quick google search i wound up here, and not being technical at all, wonder what exactly having had it means for my internet security. Could it have already done anything despite being quarantined? I find it annoying that something so commonly used as adobe software could have such a problem with it, although admittedly, not all that long after detecting it the new adobe patch has updated.

I've always been careful on the internet and have never detected anything but low-level threats until now. With a new computer (not yet had it a year), i'm quite panicked! Any help greatly appreciated.

Regards, Pete.

 

Hello Pete,

Without seeing what the quarantined file is, it's difficult to know at what point your AV picked up the exploit. Did you look inside the quarantine folder to see the file name? Some AVs will quarantine the HTML file itself because it recognizes the exploit code.

Or, it may be that the exploit started and your AV quarantined the PDF file itself. This means that scripting was enabled in your browser for the site that contained the exploit code, and that Plugins were enabled in your browser which loads the PDF file into the browser. A careful check of your browser configurations may reveal at which point the AV picked up the exploit.

See my Post #8 above.

regards,

rich

 

Hi Rich, thanks for the reply.

I'm not sure how to check my browser configurations to identify when i picked up the virus. I have however checked my firefox download list and the only pdfs i've opened in the last month have been from direct.gov.uk. This confuses me because i doubt direct.gov.uk files would be infected. You never really know though

I have, however, now installed foxit since I don't feel i can trust adobe anymore.

If it helps, i don't appear to have been redirected to any other sites before or since the virus was found. If that is all the virus does, then i hope this is a good sign!

Thanks again.