Discussion in 'other security issues & news' started by ronjor, Dec 6, 2011.
Here we go again! Thanks Ron!
Thanks for the heads up Ron.
Their sandbox solves this issue.
It's the best thing Adobe ever did. Now if they could add it to everything...
Thanks, Ron A note from Adobe's PSIRT Team
IS protected mode not on by default or something? If not, why?
It should be enabled by default.
At the image of Internet Explorer, users can disable it, though. And, if users can do it, so can malware. What's there to stop an exploit from actually managing to break out of the sandbox, and then disable Reader's sandbox for future attacks? Or even malware downloaded through e-mail, etc.
I'd do that, if I knew how. lol
Malware can't turn it off from within the sandbox though... that wouldn't make much sense.
Damn I think it might be time to switch back to Adobe Reader with that protected mode... I'll wait and see if Windows 8 beta has it built in.
That's not what I said...
I said/asked... What's there to stop an exploit from actually managing to break out of the sandbox, and then disable Reader's sandbox for future attacks? Or even malware downloaded through e-mail, etc.
I'm not talking about an exploit attacking this vulnerability; it could be any other attacking future known vulnerabilities. I'm saying that the sandbox isn't 100% effective, as it's only code and will have flaws for sure. Making it possible to disable Protected Mode from within user land... I don't like that.
Then again, if an exploit comes out attacking this vulnerability and if you're hit by it, we can't be 100% confident that Protected Mode will stop it. It should/would, but no guarantees. Software developers are always careful with their words; they never give 100% guarantees, as they don't know it either.
Oh I see. Yeah, nothing I guess. I would think you'd need admin access to do it but I'm not familiar with Adobe Reader - I just use Chrome to view PDF files.
I just disabled Adobe Reader's Protected Mode using regedit.exe under HKCU.
Does anyone know if there's any ADM template for Adobe Reader? Maybe one could make administrators being the only ones able to disable it.
I did a little search, but came out empty. If they got it, it's very well hidden.
I found this non-official -http://sourceforge.net/projects/customadmx/
I'll take a look.
They should stop users from being able to disable it. The thing is that once malware is on the system there's not a lot you can do anyways.
I agree that it's an issue but I don't see it being too big. I'm pretty sure malware can just run Chrome with the command flag to disable the sandbox as well.
They just don't really need to because once they're on the system they can create a connection of their own.
But, if you could make the user break them from the outside, say by opening an e-mail file, wouldn't you rather do it? Because, at this point you'd only have the same rights as the user, but by breaking the sandboxes, you could lately spread an exploit making use of a privilege escalation bug.
Maybe I got a very peculiar way of thinking... lol
From mitigations in the advisory
i wonder if other readers are effected by that
Adobe responds to the zero-day
There has been none reported, Sumatra, etc.
Adobe Zero-Day Targets Lockheed Martin
Espionage network exploiting Adobe Reader flaw
By InfoWorld Tech Watch
Created 2011-12-09 10:21AM
The Adobe vulnerability has fueled the spread of a spy program targeting corporate and government secrets, says security firm Symantec
Espionage network exploiting Adobe Reader flaw
Adobe warned users of its Reader software earlier this week that attackers were using a critical vulnerability in the program to enable "limited, targeted attacks." Today security firm Symantec provided details of the attacks, which appear to have been well-funded efforts aimed at stealing secrets from specific industries and government agencies in the United States and United Kingdom.
The attacks used crafted e-mails designed to look like personal communications to specific managers or executives at the targeted organization, the company states in its brief analysis . Once the PDF attachment is opened, a Trojan -- dubbed "Sykipot" by Symantec -- infects the system using the vulnerability. Once a system is compromised, it communicates with a network of command-and-control servers hosted on at least a dozen and perhaps more than 50 domains.
"While the back door Trojan itself isn't very sophisticated or well-coded, the attackers are skilled enough to have discovered multiple zero-day vulnerabilities," the security firm states. "Given the long list of command-and-control servers being used for controlling the botnet, the attackers are unlikely to be a single person, but rather a group of people."
In March 2010, the same group used a zero-day flaw in Internet Explorer to further its attacks on targets, Symantec says. While the latest attacks appeared to only target Windows systems, the critical vulnerability in Adobe Reader affects Windows, Mac OS X, and Unix, according to Adobe's advisory . Adobe expects to patch the vulnerability the week of Dec. 12.
The attacks have targeted defense contractors, telecommunications firms, computer-hardware makers, chemical companies, and energy utilities, as well as government agencies, Symantec states. The company would not speculate who was launching the attacks against the sensitive networks, but found evidence that the attacks have lasted at least two years and perhaps as far back as 2006.
"These attacks have been long running, persistent, and targeted, leading us to believe that the attackers are well-funded and motivated to acquire specific, high-value information," the company states in its analysis.
While linking such attacks to any particular nation or adversary is difficult, the samples of the Sykipot Trojan analyzed by Symantec contained error messages in Chinese.
I don't know about the reader, but disabling it Acrobat is essential for me. I tried turning it on, and everything I wanted to do to a PDF file was blocked. Had to turn it back off. I need sanboxing I just open it in SBIE.
For those not paying any attention... Update for Adobe Reader X.
For those interested, you can also get it from Adobe's FTP server: ftp://ftp.adobe.com/pub/adobe/reader/win/10.x/10.1.2/
Separate names with a comma.