Urgently needs protection against PDF and Java exploits that bypass user execution

Discussion in 'ESET NOD32 Antivirus' started by helloworld123, Apr 11, 2010.

Thread Status:
Not open for further replies.
  1. helloworld123

    helloworld123 Registered Member

    Joined:
    Apr 10, 2010
    Posts:
    1
    Hey, this is the second time I've been infected with either a PDF or a Java.exe exploint while browsing the web. The attackers generally exploit adservers and deliver the malware with a pdf files or a java exploit. The very serious problem with this is that a user doesnt need to confirm the execution of the executable and even advanced users are left vulnerable if they allow pdf files to be opened in the browser. I have set that all pdf files are to be downloaded but I am not sure if this will be sufficient in combating these attacks.

    This occured with Java 6 and Reader 9.1

    The infection eventually or immiedietly installed the TDSS rootkit in the iaStor.sys driver. ComboKit was not able to get rid of the rootkit and Kaspersky's tool was not successful either. I stupidly overwrote my iaStor.sys file with avenger with a backup but this permanently broke windows. Replacing the iaStor.sys with a iaStor.sys from another windows or from Intel's archive doesn't fix windows. Apprently you cant just overwrite driver files? I had to reinstall Windows

    Anyway, please, please work on these threats because they are clearly the future of malware and the attack vector is superior to asking a user for permission to execute.
     
  2. mvario

    mvario Registered Member

    Joined:
    Sep 16, 2008
    Posts:
    339
    Location:
    Haddonfield, IL
    Suggestions.

    Use Firefox with NoScript and block Java by default.
    Get rid of Adobe Reader. Safest replacement would be Gpdf. If you need a local reader go with something like Nuance, PDF-Xchange, Foxit, or Sumatra.
     
  3. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Last edited: Apr 12, 2010
  4. nanana1

    nanana1 Frequent Poster

    Joined:
    Jun 22, 2007
    Posts:
    947
    Thank you for your first post here and by the way, this is not a pdf and java discussion forum.:p

    Maybe this is what you experienced ... https://www.wilderssecurity.com/showthread.php?t=269790
     
    Last edited: Apr 11, 2010
  5. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,952
    Location:
    U.S.A.
    Let's wait and see if helloworld123 returns soon to inform us if ESET NOD32 Antivirus is being used. If not, we'll move the thread to another forum and possibly close it.

    JR
     
  6. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,770
    Location:
    Outer space
    Hello World, update adobe reader to the latest 9.3.1 or dump it for another reader, also make sure java is updated to version 6 update 19.
    If you want exploit protection, the best protection is updating!
     
  7. AnotherUser

    AnotherUser Guest

    No more...

    Security problem with Java 6 since Update 10:
    Java Deployment Toolkit Performs Insufficient Validation of Parameters, Workaround is mentioned in the article

    Security problem in the PDF standard:
    Escape From PDF
    Workaround for Adobe Reader: Adobe Blog
    Foxit released Version 3.2.1.0401 - this one asks at least before running an executable.
     
  8. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,732
    Uninstall JAVA - useless these times.
    And get another reader - like PDF XChange or Foxit.
    I prefer PDF XChange - many updates, less vulnerabilities
    http://www.docu-track.com/

    And very important - disable the stupid integration into any browser.
    not so many PDF files are optimized for browser reading so it makes
    not difference if you download then read it.
     
  9. nanana1

    nanana1 Frequent Poster

    Joined:
    Jun 22, 2007
    Posts:
    947
    Re: Urgently needs protection against PDF and Java exploits that bypass user executio

    Easier said than done, I would not be able to do my internet i-banking without java installed.:gack:
     
  10. mvario

    mvario Registered Member

    Joined:
    Sep 16, 2008
    Posts:
    339
    Location:
    Haddonfield, IL
    Re: Urgently needs protection against PDF and Java exploits that bypass user executio

    Then use Firefox with NoScript, or Opera so that it isn't enabled by default on every web site.
     
  11. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,732
    Re: Urgently needs protection against PDF and Java exploits that bypass user executio

    For firefox you can enable/disable it on demand.
    if usefull get a button for that --> http://codefisher.org/toolbar_button/
     
  12. nanana1

    nanana1 Frequent Poster

    Joined:
    Jun 22, 2007
    Posts:
    947
    Thanks for all your good suggestions which means java must still be installed but should not be enabled by default in your browsers.:thumb:

    On Java 6 update 18, any need to update to 19 o_O

    I am using Opera, so I don't have to do anything else. Wow, no wonder, Opera is known as a safe and secure browser.:eek:
     
  13. mvario

    mvario Registered Member

    Joined:
    Sep 16, 2008
    Posts:
    339
    Location:
    Haddonfield, IL
  14. nanana1

    nanana1 Frequent Poster

    Joined:
    Jun 22, 2007
    Posts:
    947
    Tired of doing these updates. Based on what is targeted on java update 20 may actually arrive sooner than expected.

    Been running update 18 since Dec 2009 and no attack for me so far. Of course, I do have other security layers, so will stay put for the time being.:ninja:
     
  15. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,770
    Location:
    Outer space
    Of course, new security holes are always discovered, but using ancient versions with tons of holes which are known for a long time, so there's a lot of malware abusing it, that's just asking to get infected.

    Plus, Adobe Reader already asked for the file from the PDF to be executed, only Foxit needed an update to make it ask before executing.
     
  16. pendarus

    pendarus Registered Member

    Joined:
    Jun 18, 2009
    Posts:
    4
    I'm sorry, but is it too much to ask for ESET to protect me and my users from these attacks?

    We pay a significant fee to ESET every year. I would expect they would keep up with changing trends and provide protection against the latest threats.

    In the last 60 days I have had 3 machines destroyed by attacks from legit websites. NOD32 never saw the attacker and allowed the attacker to rip it's guts out. Luckily, I have an image to rebuild machines from and it only takes half a day to get a user back and working. But that's a day and a half I could have dedicated to building my business.

    In a corporate environment, disabling Java, using Firefox, or moving away from Adobe reader is not an option. I have many customers with custom web portals that do not run well on Firefox, and require Java, that we must use if we wish to continue to do business with them.

    What am I spending money on if ESET cannot protect me as advertised?
     
  17. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,732
    get a cisco remote box!
     
  18. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    While the junky bug-ridden Sun Java and Adobe Reader are both free, right? :rolleyes: Did you realize that it's those two that are broken and vulnerable here? Any AV is reactive by nature, it doesn't detect unknown malware unless it's caught by some heuristics.
     
  19. pendarus

    pendarus Registered Member

    Joined:
    Jun 18, 2009
    Posts:
    4
    I don't think you read my entire post. My customers determine what software I use. Otherwise they don't do business with me and I go out of business.

    This is what ESET advertises:

    "ESET NOD32 Antivirus 4 protects your business without creating system slowdowns that negatively impact productivity. It is effective against emerging malware and Internet threats as they are released, not hours or days later. "

    This is what I pay for. Does it deliver? No not in my experience.

    I don't think ESET is ready to be a corporate solution. At least McAfee put up a fight before it let anything it did not recognize kill it. I may have to go back to McAfee once my ESET license is up.
     
  20. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Well, you definitely are reading way to much into the marketing blurb and less into the EULAs. Whatever, this is pretty pointless debate.

    1/ AVs by their nature are NOT prevention, they are reactive.
    2/ AVs are not designed to work around fatal flaws in other products, you need a different kind of product for this (such as HIPS, behaviour blocker, sandbox).
    3/ Every AV out there will fail you sooner or later with different kind of malware (see above). So, good luck w/ McAfee if you think it's gonna be any better.
    4/ Stubbornly insisting on using buggy bloatware such as Adobe Reader won't get you anywhere. Adobe seems to have long forgotten that PDF stands for Portable Document Format and keep integrated incredibly stupid stuff which worse yet is enabled by default, together with sloppy programming a sure recipe for disaster. Also, why people keep on insisting to open the PDFs within their browser goes beyond me. At best it causes a quite noticeable browser freeze while the thing loads.

    As for Java... I've recently downloaded JavaRa which wiped about 12 outdated JRE versions from my computer, including full installer of versions "uninstalled" ages ago plus huge amount of registry junk. Shame on you, Sun, you are a joke, a bad one for that matter.

    P.S. I don't exactly care what your customers use, not a problem of mine. If you are seeking to minimize damage caused by similar exploits in buggy software, then antivirus solutions are totally not what will help you there. You need a layered approach and AVs are actually the last thing that will hopefully trigger the emergency brake once everything else failed and the malware got through... or not, like in this case.
     
  21. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,732
    thats the point to discuss - i would say that AV should be the last security
    instance which can fail. on the other hand exploits on some software is NOT
    new! so admin has to do his job here before.
    the trouble seems the short term testing vs the long term being exploited (both in days).
    the next important point is that any av is only one wheel in the gear box.
    any time i read that people rely on their installed software - and some failed.
     
  22. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Well, pretty much... also, for all these horror stories, I'd say a good 95% of the 't3h noes, my box p0wn3d, all beer in my fridge gone and my bank account empty' stories would not have happened if the people were using LUA/SRP+common sense plus cared to update at least their vulnerable stuff (hey, Secunia PSI will watch it for you!) - see the first post, wow... surprise, Adobe Reader 9.1 and I got screwed. Ugh, kinda feel like it's lost cause anyway, people should spend more money on educating themselves and less on "unique, guaranteed 100% etc." solutions marketed to them.

    (And don't get me wrong, this is not aimed at ESET or anyone else in particular here.)
     
  23. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,032
    Location:
    California
    Hello,

    Oracle (formerly Sun) has released an out-of-band update in order to patch the vulnerability being exploited in Java. Java 6.0 Update 20 can be downloaded from the official Java web site at http://www.java.com/en/download/manual.jsp.

    The exploitation code which is used to taken advantage of this security hole is detected using generic detection technologies by ESET as "JS/Exploit.JavaDepKit.A trojan." For additional information, I would recommend reading today's ESET Threat Blog article, "Unpatched Java Deployment Kit Vulnerability Exploited in the Wild" which discusses the work done by some of the heavy hitters in ESET's virus lab to analyze this threat.

    I know there are a number of businesses who use Adobe Reader for workflow purposes and must enable its JavaScript interpreter for forms automation, but if you do not need that functionality then perhaps it is time to at least being investigating alternatives, such as the free (open source) Sumatra PDF Reader.


    Regards,

    Aryeh Goretsky
     
  24. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,732
    Thank you
     
  25. I will second the recommendation for Sumatra PDF, it rocks. It does not execute applications or interpret javascript; it just reads PDFs, and does so well and quickly. If you do not require some of those more ridiculous functions of "modern" PDF readers, you should probably use it rather than Adobe or even Foxit.

    As for Java, I don't even bother installing it on Windows.

    However - if you really need both Adobe Reader and Java, I would strongly recommend either using a limited user account or a HIPS. Both methods have their advantages and disadvantages:

    - LUA, especially in combination with SRP, is probably safer, and is more convenient for most people. However, it won't tell you whether software you install as admin is dangerous, whether it phones home, etc.

    - HIPS software is a bit more annoying due to all the popups you get while setting your system up, and may be a bit riskier if you're running as admin due to the probability of human error. However, it can tell you when software you install is doing something underhanded and sinister, which is quite useful; and generally gives you more control over your system.

    There's also sandboxing and virtualization software. The big free ones are Returnil (which makes a virtual copy of your OS) and Geswall (which sandboxes apps individually). Returnil is wonderful for maintaining a static system, but a bit inconvenient otherwise, at least in the free version. Geswall I haven't used much, but it seems to work pretty well *IF AND ONLY IF* you make sure that untrusted or potentially compromisable executables actually have the "untrusted" label. If you don't do that, it's useless. If you do, though, it's pretty secure.

    Finally I'm going to shamelessly plug my favorite security software...

    Macrium Reflect

    It can create a snapshot of a Windows system and back it up to a DVD, or multiple DVDs. It can also create a Linux or BartPE based rescue disk. Needless to say this is absolutely indispensable in the event of a bad infection - you can just boot from the rescue CD, copy the image onto your hard drive, and rewrite the MBR, and in 5-10 minutes you have a clean new system. If you have a CD/DVD writer and a Windows machine you should absolutely be using this, or some form of backup software, be it Clonezilla, PING, Ghost4Linux, Acronis, the original Norton Ghost, whatever! Just have some means of recovering your OS from backup in case things go pear-shaped.
     
    Last edited by a moderator: Apr 16, 2010
Thread Status:
Not open for further replies.