Over the weekend, security vendor iDefense reported three specific exploits affecting a fully patched version of Adobe Acrobat and Reader 8.1 running on Windows. In each of the cases, the attacker would need to have the users open a specially crafted PDF file delivered via an e-mail attachment or linked from a Web site. In response, Adobe has released a security update, Adobe Acrobat and Reader 8.1.2.
The Adobe Reader and Acrobat JavaScript insecure method exposure vulnerability affects users of Adobe Reader 8.1 on Windows XP SP2 and is to be further detailed in CVE-2007-5663. According to iDefense, "an insecure method exposed by the JavaScript library in Adobe Reader and Acrobat could allow an attacker to execute arbitrary code on a compromised machine. One of the methods exposed allows direct control over low level features of the object, which in turn allows execution of arbitrary code. In order to exploit this vulnerability, an attacker would have to convince the targeted user to open a maliciously constructed file."
The Adobe Reader and Acrobat Multiple Stack-based Buffer Overflow Vulnerabilities also affects users of Adobe Reader 8.1 on Windows XP SP2 and is to be detailed in CVE-2007-5659. According to iDefense, "exploitation of multiple stack-based buffer overflows in JavaScript methods in Adobe Reader and Acrobat could allow an attacker to execute arbitrary code as the current user. In order to exploit these vulnerabilities, an attacker would have to convince a targeted user to open a maliciously constructed file."
The Adobe Reader Security Provider Unsafe Libary Path Vulnerability affects users of Adobe Reader 8.1 installed on both Windows XP and Windows Vista and is to be detailed in CVE-2007-5666. According to iDefense, "an unsafe library path vulnerability in Adobe Systems' Adobe Reader may allow attackers to execute arbitrary code as the current user. Exploitation allows an attacker to execute arbitrary code as the user that started the application. To exploit this vulnerability, the attacker must convince the targeted user to open a PDF from a directory under their control."
In response, Adobe has issued an update for Adobe Reader and Acrobat 8.01. An update for Adobe Reader and Acrobat 7.0.9 is not currently available, although Adobe said it does plan to release one later.
Security experts warned on Wednesday of a new rootkit aimed at users of the Windows operating system.
The rootkit hides in the Master Boot Record (MBR), or Sector 0 of the hard disk drive where the primary partition entries in its partition table are stored. According to Verisign's iDefense research unit, the rootkit overwrites the existing MBR, making discovery very difficult. A rootkit is a program or group of programs designed to take root or administrator control of a computer without the user knowing.
Trend Micro and Sunbelt indicate that infection rates appear low, especially if end users have applied all available Windows updates to their system.
According to iDefense, the samples of this MBR rootkit were first reported in mid-December, with the first wave hitting 1,800 computers on December 17 and a second wave hitting 3,000 computers on December 19. On December 22, the code was released into the wild, with iDefense reporting a total of 5,000 infections worldwide through January 7.
The current rootkit code appears to be based on two theoretical stealth rootkit presentations, one given by eEye security researchers Derek Soeder and Ryan Permeh (PDF file) for Windows NT machines at Black Hat USA 2005, and by independent security researchers Nitin Kumar and Vipin Kumar (PDF file) for Windows Vista machines at Black Hat USA 2007. A comparison of the demonstration codes used in the presentation alongside the actual MBR rootkit code can be found on the GMER site. GMER is the nickname of a researcher who makes an application that detects and removes rootkits.
Infection occurs when a user visits an infected Web site. The infected site contains an iframe that links to a server hosting several exploits. If the user's machine is vulnerable to any of the following exploits, it will become infected:
- Microsoft JVM ByteVerify (MS03-011)
- Microsoft MDAC (MS06-014)
- Microsoft Internet Explorer Vector Markup Language (MS06-055)
- Microsoft XML CoreServices (MS06-071)
According to GMER, detection of this rootkit requires a comparison of current MBR to a stored image. If the comparison is not identical, then the machine has most likely been infected. Removal requires reverting the infect system back to an uninfected version of the MBR.
- prev
- 1
- next
