Another Adobe Zero-Day Attack

Discussion in 'other security issues & news' started by hawki, Sep 8, 2010.

Thread Status:
Not open for further replies.
  1. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    1,956
    Location:
    DC Metro Area
    "Adobe on Wednesday warned of a zero-day hole in Reader and Acrobat that is reportedly being exploited in the wild.

    The critical vulnerability is in Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh, and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh, according to the security advisory. The hole could allow an attacker to take control of an affected computer and potentially affects millions of computers using the Adobe software, which is the most popular PDF (portable document format) viewer.

    The company said it is evaluating the schedule for releasing a security update to resolve the issue........."

    Read more: http://news.cnet.com/8301-27080_3-20015848-245.html?tag=cnetRiver#ixzz0yxpcadJu
     
  2. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Re: Security Advisory for Adobe Reader and Acrobat

    Not bad first one this year, sorry i mean today :D
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Re: Security Advisory for Adobe Reader and Acrobat

    One exploit uses an email attachment hoping to entice the reader to click on a PDF to learn how to improve your golfing score. The payload in the PDF is a malicious executable:

    CVE-2010-2883 Security Advisory for Adobe Reader and Acrobat
    http://contagiodump.blogspot.com/2010/09/cve-david-leadbetters-one-point-lesson.html

    This means that until a patch is issued, users with some type of execution protection in place are still safe.

    Although the PDF is seen presently as an email attachment, it's sure to be picked up and used in exploit kits soon, meaning drive-by downloads will be found throughout the internet.

    ----
    rich
     
  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Rmus! Do you have a sample for testing? Thanksd
     
  5. Kid Shamrock

    Kid Shamrock Registered Member

    Joined:
    Apr 3, 2007
    Posts:
    207
    Re: Security Advisory for Adobe Reader and Acrobat

    Guess if you don't play golf you're safe. :D Seriously, I now open all PDF's sandboxed because of all the exploits.
     
  6. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    You trying to get banned :p
     
  7. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    No, I lost interest in this type of exploit because they are all blocked the same way, since the payload is a binary executable:

    [​IMG]

    In other words, it's the same old stuff!, over and over...!

    ----
    rich
     
  8. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    A more comprehesive look, here

    The Adobe Advisory is here
    Adobe Reader zero-day attack – now with stolen certificate
     
    Last edited: Sep 9, 2010
  9. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    1,956
    Location:
    DC Metro Area
  10. microbial

    microbial Registered Member

    Joined:
    Aug 26, 2009
    Posts:
    156
    Location:
    UK
    You gotta just love Adobe. Just wouldn't be the same without their regular 'exploits.' boom boom
     
  11. Dogbiscuit

    Dogbiscuit Guest

    "I think the use of valid, stolen certificates to sign malware will really take off in 2011," the security researcher added.
     
  12. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  13. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  14. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    There is another way to block this type of exploit, which I just remembered: when the PDF file attempts to connect out to download the malware, a software firewall with outbound protection will intervene:

    golfPDF.gif

    The URL it attempts to connect to has been taken down, so it wasn't possible to see the rest of the exploit in action, which would result in the downloader being blocked if you have some type of execution protection, as I showed in a previous post.

    Regarding DEP+ASLR being bypassed: this is not the first time, and probably won't be the last. Researchers have shown in the past how this can be accomplished.

    The only really sure protection (or maybe one of the sure protections) is to have all the executables on the computer in a White List. One of included specifics in the White List is the SHA-1 hash for each executable.

    Then, when an exploit like this on attempts to install its malware, it won't match anything in the White List, and so will be blocked. End of Exploit.

    ----
    rich
     
  15. fsr

    fsr Registered Member

    Joined:
    Jul 26, 2010
    Posts:
    190
  16. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Adobe Flash Player Zero Day Under Attack - ZDNet Zeroday

    Gird your loins until then. :D
     
  17. PunchsucKr

    PunchsucKr Registered Member

    Joined:
    Jul 29, 2009
    Posts:
    124
  18. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,736
    Location:
    New York City
  19. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,853
    I wonder if the new Flash v10.2 beta (64bit lineup) has this fixed?
     
  20. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
  21. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    1,956
    Location:
    DC Metro Area
    Adobe Schedules Flash Update For Monday, September 20

    Adobe has updated their recent security advisory for Flash to note that the vulnerabilities disclosed in it will be patched this coming Monday, September 20. Updates for Adobe Flash Player for Windows, Macintosh, UNIX, Solaris and Android will all be released on that day.


    http://blogs.pcmag.com/securitywatch/2010/09/adobe_schedules_flash_update_f.php
     
  22. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
  23. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    The anticipated Adobe Reader 9.4 release is now available, via the internal update mechanism (or) via the download below >
    http://get.adobe.com/reader/otherversions/
    Select your operating system | language | build number.
     
Loading...
Thread Status:
Not open for further replies.