Adobe “PIDIEF” 0-Day

On December 6, Adobe announced that a zero-day vulnerability in all supported versions of Adobe Acrobat and Reader is being exploited in the wild.  No patch is currently available.  Apparently, Lockheed Martin reported the issue, indicating this may have been used in an attack on the defense technology company.  Targeted attacks were reported in the first week of November, so this one has been active a while.

The vulnerability is being exploited in the wild through PDF attachments to e-mails containing what Symantec is calling “Pidief“, listed as a family of Trojans that drop or download additional malware on to a compromised computer.  The malware agent is reportedly dropping “Sykipot” once initially compromised, providing a backdoor into the system for remote control.

Adobe expects to have a patch released for Reader and Acrobat 9 by the week of December 12, and will update Reader/Acrobat X as part of its regular quarterly patch cycle January 10th, 2012.  Adobe recommneds that in the meantime, use Reader and Acrobat X’s protected mode or sand-box capabilities to protect users.

  • Exercise extreme caution when handling PDF files.  Any PDF email attachments should be treated suspiciously. Email attachments are a common vector for targeted attacks withg this kind of vulnerability.
  • Instruct users to use extreme caution when opening PDF files from unknown or untrusted sources, especially email attachments.
  • Upgrade to Adobe Reader X and Adobe Acrobat X, which provide a built in sand-box enabled by default.
  • Apply the patch from Adobe as soon as it becomes available.

Another Adobe 0-day

Adobe has issued another  SecurityAdvisory (APSA11-02) in regards to a critical vulnerability that exists in Flash Player and earlier for Windows, Mac, Linux and Solaris, as well as Adobe Flash Player and earlier for Android, and the Authplay.dll component that ships with Adobe Reader and Acrobat X (10.x) and earlier for Windows and Mac operating systems. This vulnerability (CVE-2011-0611) could cause a crash and potentially allow an attacker to take control of the affected system.

There are reports that this vulnerability is being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Word (.doc) file delivered as an email attachment.  At this time, Adobe is not aware of any attacks via PDF targeting Adobe Reader and Acrobat.

Because Adobe Reader X Protected Mode would prevent an exploit of this kind from executing, Adobe is planning to address this issue in Reader X for Windows with their June 14 security update.

Beware Excel Docs – Adobe 0-day Patch Coming

Adobe will release emergency fixes for a critical flaw in Flash and Reader that is being actively exploited in targeted attacks, planting malware on vulnerable computers.  The patches will be available the week of March 21, and will address the problem in Adobe Flash player 10 and Adobe Reader versions 9, 10 and X, with the exception of Reader X for Windows, which ships with a sandbox feature that has blocked the attacks so far.  The attackers are using specially-crafted Microsoft Excel documents to exploit the flaw.

Ransomware Making A Comeback

Security firms are reporting a resurgence of ransomware, malware designed to encrypt and hold users’ data hostage on their own computers until payment is made.  The newest variants are demanding payment of as much as US $120 to provide the decryption keys to user data. 

Infected PDF files are being used by some malware to exploit known vulnerabilities in unpatched Adobe Reader software installations.  Other variants target the master boot record of Windows hard drives. 

Make sure that your applications are all patched up, and ensure that you update your backups.  External hard drives are cheap commodity items these days, so make the investment.  Or get that significant other to set one under the tree for you this year.  I have seen 1TB USB drives going for under $200! 

Adobe Announces Reader X -=[SooN]=-

Adobe has released Reader X, the latest version of its popular PDF reading software.  The Windows version includes a “sandbox” called Protected Mode, intended to protect users from PDF attacks.  Protected Mode isolates system processes, supposedly preventing malware from escaping the application. 

If Reader needs to perform an action that is not permitted in the sandbox environment, like writing to the temp folder, those requests are funneled through a “broker process”, controlled by a set of policies stipulating what is and isn’t allowed.  This technology should take a significant amount of pressure off of Adobe, whose products have become a favorite target and delivery mechanism for malware distribution.

The Mac OS X and Android versions lack the sandbox technology.  Adobe has not laid out a timetable for offering Reader X to existing users, however the company will not initially roll out the new version via Reader’s built-in updater.  It will be offered to users of older versions first, before version 9 users.

Learn more about it here.  I hope that they do something about Flash soon.  It remains a standing and often overlooked target.

Adobe Releases Emergency Reader Patch

According to ComputerWorld, Adobe just issued an emergency update for its popular Reader PDF software patching two critical vulnerabilities, including one attackers have been exploiting for weeks.  Successful attacks have dropped a Trojan horse and other malware on victimized Windows PCs.

Adobe Advisory

Yet ANOTHER Adobe Zero-Day

I haven’t been able to keep up with the most recent Adobe threats, as there have been so many in the last month or two.  Here is the latest Flash vulnerability that now has exploit code in the wild AND apparently, a MetaSploit module to keep the script kiddies busy and happy.

Multiple vulnerabilities have also been recently identified in Shockwave Player, which could allow malicious code to run on the affected system by exploiting memory corruption and buffer overflow conditions.  Some of these vulnerabilities are rated critical by the vendor.  Exploit details were posted for CVE-2010-3653 and functioning exploit code is available in tools such as Metasploit.

I’m thinking it is time once again to get completely rid of Adobe products from my systems.  Shockwave and Flash are cool for web-based eye candy, but when they start introducing this kind of risk, their value is certainly in question.  Reader and Acrobat have already been replaced on my systems.  I hope Adobe can clean up their act, as they are now acquiring other companies and products…