Potential Adobe Reader, Acrobat, and Flash Player issue

Discussion in 'other security issues & news' started by ronjor, Jul 22, 2009.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,728
    Location:
    Texas
    Adobe
     
  2. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Adobe Flash zero-day attack underway; Harden PDF Reader immediately

    Zero-day PDF Attack Goes After Flash Flaw

    YA0D (Yet Another 0-Day) in Adobe Flash player

     
  3. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Next-Generation Flash Vulnerability

     
  4. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    Adobe is taking an enormous beating from the malware community. But then, they seem to have coded software with all the security of Swiss cheese.

    Solution: disable Flash, disable PDF plugin, don't open untrusted PDFs.
     
  5. BrendanK.

    BrendanK. Registered Member

    Joined:
    Jun 23, 2008
    Posts:
    520
    Location:
    Australia
    Just as a precaution, they tell you to disable a *.dll. I saw it on a website, but I can't remember which. I'll dig it up again :p
     
  6. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    US CERT says:

    http://www.us-cert.gov/current/index.html#adobe_reader_acrobat_and_flash
     
  7. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    Replace adobe reader with foxit reader.
    Replace adobe flash with o_O maybe one day :(
     
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Code for the exploit has been posted. It's pretty much the same as has been used in previous exploits. The user is redirected from a compromised legitimate site to another site with this code:

    First, we see that javascript is required to start things:

    Code:
    <script>
    The exploit contains code to catch users with different browsers. As has been mentioned by Windchild,
    disabling plugins (activeX) prevents the PDF file from loading.

    For IE users:

    Code:
    if(navigator.userAgent.[B][COLOR="DarkRed"]indexOf('MSIE'[/COLOR][/B]) != -1)
    
    obj = new [B][COLOR="DarkRed"]ActiveXObject(PDF[/COLOR][/B][i])
    
    if (obj)
    
    <[B][COLOR="DarkRed"]i frame src=hereEvil.pdf[/COLOR][/B]></i frame>');
    
    Now, the Flash exploit:

    Code:
    obj = new [B][COLOR="DarkRed"]ActiveXObject('ShockwaveFlash.[/COLOR][/B]ShockwaveFlash')
    
    <[B][COLOR="DarkRed"]i frame src=sinceDummyMiddle.swf[/COLOR][/B]></i frame>');
    
    For non-IE browsers that use plugins:

    Code:
    if(([B][COLOR="DarkRed"]plugin.indexOf('Adobe Acrobat[/COLOR][/B]') != -1) || 
    
    <[COLOR="DarkRed"][B]i frame src=hereEvil.pdf[/B][/COLOR]></i frame>');
    
    And the Flash component:

    Code:
    if([COLOR="DarkRed"][B] plugin.indexOf('Flash'[/B][/COLOR]) != -1)
    
    <[COLOR="DarkRed"][B]i frame src=sinceDummyMiddle.swf[/B][/COLOR]></i frame>');
    
    Finally, from the sans.org Diary cited by MrBrian:

    Any security that blocks unauthorized executables will intercept at this point.

    At this moment Foxit is not targeted, but it has been in the past, so using Foxit is no guarantee that another exploit won't surface.

    [​IMG]

    Regarding plugins: they are very useful and convenient, since the user is not prompted to Save/Open the file. Rather, the file opens automatically in the browser. This, of course, is a huge security risk.

    The safer way is to be prompted to Open/Save a file. Then, the user is presented with the same scenario as when receiving an email with attachment:

    To Open or Not To Open: That is the question. ​

    ----
    rich
     
  9. Keyboard_Commando

    Keyboard_Commando Registered Member

    Joined:
    Mar 6, 2009
    Posts:
    690
    Interesting post Rmus, inspired me to do some poking around with Firefox. I found the default control for my PDF, which is Foxit, I didn't realise you could alter the settings. Might be of use to anyone else.

    for Firefox, click Tools/Options/Applications/find your PDF tool/click the arrow/drop down options should appear.

    I don't have IE set up for PDF so unable to tell you those.

    Edit: Thinking about it, is the Always ask, just literally asking to use Foxit, or to download the PDF file ... anyone know ?
     

    Attached Files:

  10. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    Yet foxit doesn't quite appear to be coded by monkeys, does it?
     
  11. Keyboard_Commando

    Keyboard_Commando Registered Member

    Joined:
    Mar 6, 2009
    Posts:
    690
    Hmmm well changing the default action for Foxit to Ask just seems to crash Firefox more than usual. Just doesn't appear to do anything. No dialogue box appears at any point.

    Edit: DefenseWall was playing up, was blocking Foxit. The dialogue appears and gave me the option to Choose which PDF i'd like to use to open the document.

    clicking Always Ask is gives you the option to flick between safe PDF (possibly Foxit) and your not so safe (Adobe), depending where you are browsing at the time.
     
    Last edited: Jul 23, 2009
  12. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,728
    Location:
    Texas
    http://blogs.adobe.com/psirt/
     
  13. prius04

    prius04 Registered Member

    Joined:
    Apr 14, 2007
    Posts:
    1,238
    Location:
    USA
    Try this --> go to Tools>>Add-ons>>Plugins and disable the Foxit plugin. You should then get a dialogue box anytime you click on a link to a PDF.
     
  14. Keyboard_Commando

    Keyboard_Commando Registered Member

    Joined:
    Mar 6, 2009
    Posts:
    690

    Yeah I just got it to work, thanks anyway. I edited my post as you were probably typing this :p

    Foxit was being blocked by Defensewall for some reason.
     
  15. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    At least one URL is active, and we can see how the exploit works. It seems to be a package with several exploits. It might depend on which browser is identified. Nothing triggered using Opera 9.64 - I had scripting enabled, so I don't know what happened.

    Using IE6, these files are cached, so it looks like a package of exploits:

    pdfswf-cache.gif

    CAV9MQB2.HTM contains this CLSID which refers to the directshow exploit. That exploit does not work on my Win2K system.

    Code:
    {0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}
    The PDF and SWF exploit code was identifiable and is exactly as I posted above. The PDF code did trigger loading the file into the IE browser, but the file would not execute any code:

    pdfswf-1.gif

    Bojan Zdrnja refers to this file in his sans.org Diary update:

    UPDATE 3 (by Bojan):
    http://isc.sans.org/diary.html?date=2009-07-22
    Mine is an old version of the Reader which evidently the file did not like! A subsequent visit to the site downloaded a different PDF file with the same result. The PDF file was identified as Exploit.Win32.Pidief.bes. You may remember the Pidief family of trojans that surfaced in a wave of PDF exploits earlier this year.

    I'm not sure about the SWF file, whether or not that triggered the downloading of malware; but I did get this alert from Anti-Executable -- it may have been an old IE exploit:

    pdfswf-AE.gif

    I downloaded file.exe and it was identified as Trojan-Downloader:W32/Bredolab.AE

    Several things can be noted in this exploit:

    • Continuing use of 3rd party applications vulnerabilities to serve up malware

    • Packaging of 3 - 5 exploits hoping to snag an unpatched vulnerability, either in a browser (IE) or another application.

    • As in the past, the final payload is a malicious executable, which can be stopped with proper protection against unauthorized executables in place.

    • In past exploits combined in a package, the malware executable is usually the same file in each exploit.

    Note that the use of PDF and SWF files does not target Plugins, rather, they target the applications themselves (Acrobat Reader, Flash in this case). The Plugin is just a DLL used as a convenient means of sneaking in the file without the user being aware.

    It would seem that with Javascript and Plugins disabled, these types of exploits would fail. But considering the population at large that probably uses these applications in their default settings, that is a huge group of exploitable people, whereas those who frequent forums and keep up with these exploits are in a minority.

    How many here have contacted at least one person to warn/advise of this exploit? That is one less person to be exploited!

    ----
    rich
     
  16. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Rmus

    Well i havn't contacted anyone about this specific issue, but i inform anyone i know, who's interested, how to secure their Browsers & PC's. That's even before adding any AV etc etc !

    If more people did then so much the better, i know you do. Bless you SIR.
     
  17. Kropotkinlives

    Kropotkinlives Registered Member

    Joined:
    Aug 1, 2009
    Posts:
    2
    Hi, my antivirus software (Zonealarm) just picked up and quarantined a virus called: Exploit.Win32.Pidief.bes. After a quick google search i wound up here, and not being technical at all, wonder what exactly having had it means for my internet security. Could it have already done anything despite being quarantined? I find it annoying that something so commonly used as adobe software could have such a problem with it, although admittedly, not all that long after detecting it the new adobe patch has updated.

    I've always been careful on the internet and have never detected anything but low-level threats until now. With a new computer (not yet had it a year), i'm quite panicked! Any help greatly appreciated.

    Regards, Pete.
     
  18. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hello Pete,

    Without seeing what the quarantined file is, it's difficult to know at what point your AV picked up the exploit. Did you look inside the quarantine folder to see the file name? Some AVs will quarantine the HTML file itself because it recognizes the exploit code.

    Or, it may be that the exploit started and your AV quarantined the PDF file itself. This means that scripting was enabled in your browser for the site that contained the exploit code, and that Plugins were enabled in your browser which loads the PDF file into the browser. A careful check of your browser configurations may reveal at which point the AV picked up the exploit.

    See my Post #8 above.

    regards,

    rich
     
  19. Kropotkinlives

    Kropotkinlives Registered Member

    Joined:
    Aug 1, 2009
    Posts:
    2
    Hi Rich, thanks for the reply.

    I'm not sure how to check my browser configurations to identify when i picked up the virus. I have however checked my firefox download list and the only pdfs i've opened in the last month have been from direct.gov.uk. This confuses me because i doubt direct.gov.uk files would be infected. You never really know though :doubt:

    I have, however, now installed foxit since I don't feel i can trust adobe anymore.

    If it helps, i don't appear to have been redirected to any other sites before or since the virus was found. If that is all the virus does, then i hope this is a good sign!

    Thanks again.
     
Loading...
Thread Status:
Not open for further replies.