Urgently needs protection against PDF and Java exploits that bypass user execution

Hey, this is the second time I've been infected with either a PDF or a Java.exe exploint while browsing the web. The attackers generally exploit adservers and deliver the malware with a pdf files or a java exploit. The very serious problem with this is that a user doesnt need to confirm the execution of the executable and even advanced users are left vulnerable if they allow pdf files to be opened in the browser. I have set that all pdf files are to be downloaded but I am not sure if this will be sufficient in combating these attacks.

This occured with Java 6 and Reader 9.1

The infection eventually or immiedietly installed the TDSS rootkit in the iaStor.sys driver. ComboKit was not able to get rid of the rootkit and Kaspersky's tool was not successful either. I stupidly overwrote my iaStor.sys file with avenger with a backup but this permanently broke windows. Replacing the iaStor.sys with a iaStor.sys from another windows or from Intel's archive doesn't fix windows. Apprently you cant just overwrite driver files? I had to reinstall Windows

Anyway, please, please work on these threats because they are clearly the future of malware and the attack vector is superior to asking a user for permission to execute.

 

Suggestions.

Use Firefox with NoScript and block Java by default.
Get rid of Adobe Reader. Safest replacement would be Gpdf. If you need a local reader go with something like Nuance, PDF-Xchange, Foxit, or Sumatra.

 

Is this query in any way with regards to ESET Products ?
What to do if you are infected.
Edit to add: How to remove the TDSS, TDL3, or Alureon rootkit using TDSSKiller Do not do this without Expert Assistance !!!

 

Thank you for your first post here and by the way, this is not a pdf and java discussion forum.

Maybe this is what you experienced ... https://www.wilderssecurity.com/showthread.php?t=269790

 

Hello World, update adobe reader to the latest 9.3.1 or dump it for another reader, also make sure java is updated to version 6 update 19.
If you want exploit protection, the best protection is updating!

 

No more...

Security problem with Java 6 since Update 10:
Java Deployment Toolkit Performs Insufficient Validation of Parameters, Workaround is mentioned in the article

Security problem in the PDF standard:
Escape From PDF
Workaround for Adobe Reader: Adobe Blog
Foxit released Version 3.2.1.0401 - this one asks at least before running an executable.

 

Uninstall JAVA - useless these times.
And get another reader - like PDF XChange or Foxit.
I prefer PDF XChange - many updates, less vulnerabilities
http://www.docu-track.com/

And very important - disable the stupid integration into any browser.
not so many PDF files are optimized for browser reading so it makes
not difference if you download then read it.

 

Re: Urgently needs protection against PDF and Java exploits that bypass user executio

Easier said than done, I would not be able to do my internet i-banking without java installed.

 

Re: Urgently needs protection against PDF and Java exploits that bypass user executio

Then use Firefox with NoScript, or Opera so that it isn't enabled by default on every web site.

 

Re: Urgently needs protection against PDF and Java exploits that bypass user executio

For firefox you can enable/disable it on demand.
if usefull get a button for that --> http://codefisher.org/toolbar_button/

 

Thanks for all your good suggestions which means java must still be installed but should not be enabled by default in your browsers.

On Java 6 update 18, any need to update to 19

I am using Opera, so I don't have to do anything else. Wow, no wonder, Opera is known as a safe and secure browser.

 

"Java Patch Plugs 27 Security Holes"

http://krebsonsecurity.com/2010/04/java-patch-plugs-27-security-holes/

27 security holes on the second most popular attack vector? You tell me.

 

Tired of doing these updates. Based on what is targeted on java update 20 may actually arrive sooner than expected.

Been running update 18 since Dec 2009 and no attack for me so far. Of course, I do have other security layers, so will stay put for the time being.

 

Of course, new security holes are always discovered, but using ancient versions with tons of holes which are known for a long time, so there's a lot of malware abusing it, that's just asking to get infected.

Plus, Adobe Reader already asked for the file from the PDF to be executed, only Foxit needed an update to make it ask before executing.

 

I'm sorry, but is it too much to ask for ESET to protect me and my users from these attacks?

We pay a significant fee to ESET every year. I would expect they would keep up with changing trends and provide protection against the latest threats.

In the last 60 days I have had 3 machines destroyed by attacks from legit websites. NOD32 never saw the attacker and allowed the attacker to rip it's guts out. Luckily, I have an image to rebuild machines from and it only takes half a day to get a user back and working. But that's a day and a half I could have dedicated to building my business.

In a corporate environment, disabling Java, using Firefox, or moving away from Adobe reader is not an option. I have many customers with custom web portals that do not run well on Firefox, and require Java, that we must use if we wish to continue to do business with them.

What am I spending money on if ESET cannot protect me as advertised?

 

get a cisco remote box!

 

While the junky bug-ridden Sun Java and Adobe Reader are both free, right? Did you realize that it's those two that are broken and vulnerable here? Any AV is reactive by nature, it doesn't detect unknown malware unless it's caught by some heuristics.

 

I don't think you read my entire post. My customers determine what software I use. Otherwise they don't do business with me and I go out of business.

This is what ESET advertises:

"ESET NOD32 Antivirus 4 protects your business without creating system slowdowns that negatively impact productivity. It is effective against emerging malware and Internet threats as they are released, not hours or days later. "

This is what I pay for. Does it deliver? No not in my experience.

I don't think ESET is ready to be a corporate solution. At least McAfee put up a fight before it let anything it did not recognize kill it. I may have to go back to McAfee once my ESET license is up.

 

Well, you definitely are reading way to much into the marketing blurb and less into the EULAs. Whatever, this is pretty pointless debate.

1/ AVs by their nature are NOT prevention, they are reactive.
2/ AVs are not designed to work around fatal flaws in other products, you need a different kind of product for this (such as HIPS, behaviour blocker, sandbox).
3/ Every AV out there will fail you sooner or later with different kind of malware (see above). So, good luck w/ McAfee if you think it's gonna be any better.
4/ Stubbornly insisting on using buggy bloatware such as Adobe Reader won't get you anywhere. Adobe seems to have long forgotten that PDF stands for Portable Document Format and keep integrated incredibly stupid stuff which worse yet is enabled by default, together with sloppy programming a sure recipe for disaster. Also, why people keep on insisting to open the PDFs within their browser goes beyond me. At best it causes a quite noticeable browser freeze while the thing loads.

As for Java... I've recently downloaded JavaRa which wiped about 12 outdated JRE versions from my computer, including full installer of versions "uninstalled" ages ago plus huge amount of registry junk. Shame on you, Sun, you are a joke, a bad one for that matter.

P.S. I don't exactly care what your customers use, not a problem of mine. If you are seeking to minimize damage caused by similar exploits in buggy software, then antivirus solutions are totally not what will help you there. You need a layered approach and AVs are actually the last thing that will hopefully trigger the emergency brake once everything else failed and the malware got through... or not, like in this case.

 

thats the point to discuss - i would say that AV should be the last security
instance which can fail. on the other hand exploits on some software is NOT
new! so admin has to do his job here before.
the trouble seems the short term testing vs the long term being exploited (both in days).
the next important point is that any av is only one wheel in the gear box.
any time i read that people rely on their installed software - and some failed.

 

Well, pretty much... also, for all these horror stories, I'd say a good 95% of the 't3h noes, my box p0wn3d, all beer in my fridge gone and my bank account empty' stories would not have happened if the people were using LUA/SRP+common sense plus cared to update at least their vulnerable stuff (hey, Secunia PSI will watch it for you!) - see the first post, wow... surprise, Adobe Reader 9.1 and I got screwed. Ugh, kinda feel like it's lost cause anyway, people should spend more money on educating themselves and less on "unique, guaranteed 100% etc." solutions marketed to them.

(And don't get me wrong, this is not aimed at ESET or anyone else in particular here.)

 

Hello,

Oracle (formerly Sun) has released an out-of-band update in order to patch the vulnerability being exploited in Java. Java 6.0 Update 20 can be downloaded from the official Java web site at http://www.java.com/en/download/manual.jsp.

The exploitation code which is used to taken advantage of this security hole is detected using generic detection technologies by ESET as "JS/Exploit.JavaDepKit.A trojan." For additional information, I would recommend reading today's ESET Threat Blog article, "Unpatched Java Deployment Kit Vulnerability Exploited in the Wild" which discusses the work done by some of the heavy hitters in ESET's virus lab to analyze this threat.

I know there are a number of businesses who use Adobe Reader for workflow purposes and must enable its JavaScript interpreter for forms automation, but if you do not need that functionality then perhaps it is time to at least being investigating alternatives, such as the free (open source) Sumatra PDF Reader.


Regards,

Aryeh Goretsky

 

Thank you

 

I will second the recommendation for Sumatra PDF, it rocks. It does not execute applications or interpret javascript; it just reads PDFs, and does so well and quickly. If you do not require some of those more ridiculous functions of "modern" PDF readers, you should probably use it rather than Adobe or even Foxit.

As for Java, I don't even bother installing it on Windows.

However - if you really need both Adobe Reader and Java, I would strongly recommend either using a limited user account or a HIPS. Both methods have their advantages and disadvantages:

- LUA, especially in combination with SRP, is probably safer, and is more convenient for most people. However, it won't tell you whether software you install as admin is dangerous, whether it phones home, etc.

- HIPS software is a bit more annoying due to all the popups you get while setting your system up, and may be a bit riskier if you're running as admin due to the probability of human error. However, it can tell you when software you install is doing something underhanded and sinister, which is quite useful; and generally gives you more control over your system.

There's also sandboxing and virtualization software. The big free ones are Returnil (which makes a virtual copy of your OS) and Geswall (which sandboxes apps individually). Returnil is wonderful for maintaining a static system, but a bit inconvenient otherwise, at least in the free version. Geswall I haven't used much, but it seems to work pretty well *IF AND ONLY IF* you make sure that untrusted or potentially compromisable executables actually have the "untrusted" label. If you don't do that, it's useless. If you do, though, it's pretty secure.

Finally I'm going to shamelessly plug my favorite security software...

Macrium Reflect

It can create a snapshot of a Windows system and back it up to a DVD, or multiple DVDs. It can also create a Linux or BartPE based rescue disk. Needless to say this is absolutely indispensable in the event of a bad infection - you can just boot from the rescue CD, copy the image onto your hard drive, and rewrite the MBR, and in 5-10 minutes you have a clean new system. If you have a CD/DVD writer and a Windows machine you should absolutely be using this, or some form of backup software, be it Clonezilla, PING, Ghost4Linux, Acronis, the original Norton Ghost, whatever! Just have some means of recovering your OS from backup in case things go pear-shaped.