Adobe “PIDIEF” 0-Day

On December 6, Adobe announced that a zero-day vulnerability in all supported versions of Adobe Acrobat and Reader is being exploited in the wild.  No patch is currently available.  Apparently, Lockheed Martin reported the issue, indicating this may have been used in an attack on the defense technology company.  Targeted attacks were reported in the first week of November, so this one has been active a while.

The vulnerability is being exploited in the wild through PDF attachments to e-mails containing what Symantec is calling “Pidief“, listed as a family of Trojans that drop or download additional malware on to a compromised computer.  The malware agent is reportedly dropping “Sykipot” once initially compromised, providing a backdoor into the system for remote control.

Adobe expects to have a patch released for Reader and Acrobat 9 by the week of December 12, and will update Reader/Acrobat X as part of its regular quarterly patch cycle January 10th, 2012.  Adobe recommneds that in the meantime, use Reader and Acrobat X’s protected mode or sand-box capabilities to protect users.

• Exercise extreme caution when handling PDF files.  Any PDF email attachments should be treated suspiciously. Email attachments are a common vector for targeted attacks withg this kind of vulnerability.
• Instruct users to use extreme caution when opening PDF files from unknown or untrusted sources, especially email attachments.
• Upgrade to Adobe Reader X and Adobe Acrobat X, which provide a built in sand-box enabled by default.
• Apply the patch from Adobe as soon as it becomes available.

Another Adobe 0-day

Adobe has issued another  SecurityAdvisory (APSA11-02) in regards to a critical vulnerability that exists in Flash Player 10.2.153.1 and earlier for Windows, Mac, Linux and Solaris, as well as Adobe Flash Player 10.2.156.12 and earlier for Android, and the Authplay.dll component that ships with Adobe Reader and Acrobat X (10.x) and earlier for Windows and Mac operating systems. This vulnerability (CVE-2011-0611) could cause a crash and potentially allow an attacker to take control of the affected system.

There are reports that this vulnerability is being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Word (.doc) file delivered as an email attachment.  At this time, Adobe is not aware of any attacks via PDF targeting Adobe Reader and Acrobat.

Because Adobe Reader X Protected Mode would prevent an exploit of this kind from executing, Adobe is planning to address this issue in Reader X for Windows with their June 14 security update.

http://krebsonsecurity.com/2011/04/new-adobe-flash-zero-day-being-exploited/

Beware Excel Docs – Adobe 0-day Patch Coming

Adobe will release emergency fixes for a critical flaw in Flash and Reader that is being actively exploited in targeted attacks, planting malware on vulnerable computers.  The patches will be available the week of March 21, and will address the problem in Adobe Flash player 10 and Adobe Reader versions 9, 10 and X, with the exception of Reader X for Windows, which ships with a sandbox feature that has blocked the attacks so far.  The attackers are using specially-crafted Microsoft Excel documents to exploit the flaw.

http://www.computerworld.com/s/article/9214521/Hackers_exploit_Flash_zero_day_Adobe_confirms?taxonomyId=17

Ransomware Making A Comeback

Security firms are reporting a resurgence of ransomware, malware designed to encrypt and hold users’ data hostage on their own computers until payment is made.  The newest variants are demanding payment of as much as US $120 to provide the decryption keys to user data. 

Infected PDF files are being used by some malware to exploit known vulnerabilities in unpatched Adobe Reader software installations.  Other variants target the master boot record of Windows hard drives. 

Make sure that your applications are all patched up, and ensure that you update your backups.  External hard drives are cheap commodity items these days, so make the investment.  Or get that significant other to set one under the tree for you this year.  I have seen 1TB USB drives going for under $200! 

• ComputerWorld
• InfoWorld

Adobe Announces Reader X -=[SooN]=-

Adobe has released Reader X, the latest version of its popular PDF reading software.  The Windows version includes a “sandbox” called Protected Mode, intended to protect users from PDF attacks.  Protected Mode isolates system processes, supposedly preventing malware from escaping the application. 

If Reader needs to perform an action that is not permitted in the sandbox environment, like writing to the temp folder, those requests are funneled through a “broker process”, controlled by a set of policies stipulating what is and isn’t allowed.  This technology should take a significant amount of pressure off of Adobe, whose products have become a favorite target and delivery mechanism for malware distribution.

The Mac OS X and Android versions lack the sandbox technology.  Adobe has not laid out a timetable for offering Reader X to existing users, however the company will not initially roll out the new version via Reader’s built-in updater.  It will be offered to users of older versions first, before version 9 users.

Learn more about it here.  I hope that they do something about Flash soon.  It remains a standing and often overlooked target.

Adobe Releases Emergency Reader Patch

According to ComputerWorld, Adobe just issued an emergency update for its popular Reader PDF software patching two critical vulnerabilities, including one attackers have been exploiting for weeks.  Successful attacks have dropped a Trojan horse and other malware on victimized Windows PCs.

Adobe Advisory

Yet ANOTHER Adobe Zero-Day

I haven’t been able to keep up with the most recent Adobe threats, as there have been so many in the last month or two.  Here is the latest Flash vulnerability that now has exploit code in the wild AND apparently, a MetaSploit module to keep the script kiddies busy and happy.

• Adobe Advisory APSA10-05

Multiple vulnerabilities have also been recently identified in Shockwave Player, which could allow malicious code to run on the affected system by exploiting memory corruption and buffer overflow conditions.  Some of these vulnerabilities are rated critical by the vendor.  Exploit details were posted for CVE-2010-3653 and functioning exploit code is available in tools such as Metasploit.

• Adobe Advisory APSB10-25

I’m thinking it is time once again to get completely rid of Adobe products from my systems.  Shockwave and Flash are cool for web-based eye candy, but when they start introducing this kind of risk, their value is certainly in question.  Reader and Acrobat have already been replaced on my systems.  I hope Adobe can clean up their act, as they are now acquiring other companies and products…

Adobe Patches 23 Vulnerabilities

Adobe released updates for Reader and Acrobat on the 5th that fix 23 vulnerabilities, including two that are actively being exploited in attacks that could allow someone to take control of the victim computer.  One critical vulnerability is being used in attacks against Reader and Acrobat; another, fixed in an emergency update late last month, targets Flash Player.

Details are in the latest security advisory.

The next quarterly security updates for Adobe Reader and Acrobat are scheduled for February 8, 2011.

Adobe Accellerates Patch Release

Adobe is planning to release updates Oct. 5 to address vulnerabilities impacting Adobe Reader and Acrobat to fend off attackers. Adobe is issuing the updates a week ahead of its regular schedule.  The updates addresses problems in Adobe Flash Player that also affects Reader versions 9.3.4 and earlier on Windows, Mac and Unix systems and Adobe Acrobat 9.3.4 and earlier for Windows and Macs. 

Adobe

Another Busy Patch Release Day…

Microsoft has released 14 patches against 34 vulnerabilities, plenty of them are remote code execution, however most were privately disclosed.  Adobe has half a dozen.

It’s just so much easier to go to the SANS website rather than have me do a quick rehash of the excellent job they’ve already done in analyzing these vulnerability reports.  Take the CRITICALS on the board to heart when consiudering priorities.  There are a number of vulnerabilities in this patch release that I am going to be placing on my watch list, and I expect them to get some quick play on the dev boards.  Also note the exploit code and 0-day updates.  http://isc.sans.edu/diary.html?storyid=9361

Adobe also released a number of patches for their products, patching 6 vulnerabilities in Flash Player, all of them rated critical.   Today’s update was 2010’s third for Flash Player, a browser plug-in that’s installed on an estimated 99% of all personal computers.  Previous updates in March and June have fixed a total of 33 other flaws.  One of the patches is a second try for Adobe.  The company tried to patch the CVE-2010-2188 flaw in Flash Player 2 months ago.  However, about 2 weeks later, Adobe admitted its fix had failed, leaving users hanging with technical information and research papers published about the vulnerability.

Adobe revealed only the scantest of details about the freshly patched bugs in their security advisory.  5 of the 6 were labeled as “memory corruption” vulnerabilities, while the 6th could potentially be used in a “click-jacking” attack.  Adobe is unaware of any in-the-wild exploitation of the vulnerabilities. 

Here are the links to the each of the security updates,

Flash Media Server – Rated Critical by Adobe

Adobe AIR and Flash – Rated Critical by Adobe

ColdFusion – Rating : Rated Important by Adobe