A not-so-merry holiday gift for Amazon.com: hackers say they've successfully cracked copyright protections on the company's Kindle e-reader, making it possible to export e-books to other devices.
One hack reportedly resulted from a Kindle DRM challenge issued on Israeli forum Hacking.org. On that site, an Israeli hacker known as Labba claims to have created a tool that lets e-books stored on the Kindle be transferred as PDF files.
A U.S. hacker has written a program to crack copyright protections on the Kindle for PC application.
(Credit: Amazon)A U.S. hacker who goes by the name "i♥cabbages," meanwhile, created a program called Unswindle that promises to convert books stored in the Kindle for PC application into a different file format.
The free Kindle for PC app lets book buyers read their books right from their PCs without having to buy a Kindle reader. Unswindle has to be used in conjunction with MobiDeDRM, a program by another hacker named "darkreverser."
Posters on i♥cabbages' blog give Unswindle mixed reviews, ranging from "works like a charm" and "worked flawlessly" to descriptions of various errors.
... Read moreAdobe on January 12 will patch a critical hole in Reader and Acrobat that is being exploited in attacks. That date is the company's next scheduled quarterly security update release.
The zero-day hole, which affects Reader and Acrobat versions 9.2 and earlier, could crash the system and allow an attacker to take control of the computer.
Malicious Adobe Acrobat PDF files are distributed via an e-mail attachment that, when opened, executes a Trojan that targets Windows systems, according to Symantec. The rate of infection is extremely limited and the risk assessment level is very low, the company said.
Adobe decided to issue the patch in cycle in about four weeks rather than work on an earlier patch release because that would take between two and three weeks to deliver and would put the regular quarterly update off schedule, the company said in a blog post.
"The team determined that by putting additional resources over the holidays towards the engineering and testing work required to ship a high confidence fix for this issue with low risk of introducing any new problems, they could deliver the fix as part of the quarterly update on January 12, 2010," Adobe's Brad Arkin wrote.
In the meantime, customers can use a new JavaScript Blacklist mitigation feature that allows for easy disabling of JavaScript, Arkin said.
"Additionally, an informal poll we conducted indicated that most of the organizations we talked with were in favor of [releasing the patch in cycle] to better align with their schedules," he wrote.
Meanwhile, Webroot analyzed the payload of the malware and found that it installs three files that look like Windows system files that are digitally signed with a forged Microsoft certificate. Unlike legitimate Microsoft-signed certificates, these lack an e-mail address and a time stamp, the company said in a blog post.
"Authors of Trojan horse apps rarely go to the trouble of digitally signing files in this way," writes Webroot researcher Andrew Brandt. "It's not clear why they would be digitally signing files, but clearly the person or people behind this are up to no good."
Updated 3:50 p.m. PST with Webroot finding forged Microsoft certificates in the malware.
Symantec on Tuesday confirmed a vulnerability in Adobe Acrobat and Reader and said it was being exploited by a Trojan hidden in e-mail attachments.
The malicious Adobe Acrobat PDF file is distributed via an e-mail attachment that "drops and executes when opened on a fully patched system with either Adobe Acrobat or Reader installed," Symantec said in a statement.
Symantec identified the file as Trojan Pidief.H, which targets Windows 98, 95, XP, Windows Me, Vista, NT, 2000 and Server 2003.
The rate of infection is extremely limited and the risk assessment level is very low, according to Symantec.
The exploit has been in the wild since at least last Friday, according to the Shadow Server blog.
"Several tests have confirmed this is a 0-day vulnerability affecting several versions of Adobe Acrobat [Reader] to include the most recent versions of 8.x and 9.x. We have not tested on 7.x, but it may also be vulnerable," the post says. "We did not discover this vulnerability but have received multiple reports of this issue and have examined multiple different copies of malicious PDFs that exploit this issue. This is legit and is very bad."
The vulnerability is in a JavaScript function within Adobe Acrobat Reader itself, the Shadow Server post says, before advising users to disable JavaScript.
Adobe posted a security advisory late on Tuesday saying that it had confirmed a critical vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions that could crash the system and allow an attacker to take control of the computer.
Affected software is Reader 9.2 and earlier for Windows, Macintosh, and Unix, and Acrobat 9.2 and earlier for Windows and Macintosh, Adobe said. The company recommended disabling JavaScript to protect the system.
Adobe had said on Monday night that it was investigating reports of a vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions being exploited in the wild.
Adobe has increasingly had to deal with holes in and exploits targeting its popular software. Adobe issued updates in October that fixed nearly 30 holes in Reader and Acrobat 9.2. Earlier that month, Trend Micro reported on a zero-day exploit targeting Adobe Reader, as well as 9.1.3 and earlier versions of Adobe Systems' Acrobat.
In July, Adobe warned of attacks in which malicious PDF files were exploiting a vulnerability in Flash. And in April a new Reader hole emerged after Adobe fixed a two-month-old critical vulnerability in Adobe Reader 9 and Acrobat 9.
Updated 5:10 p.m. PST with Adobe confirming vulnerability.
Adobe warned of reports of an attack exploiting a hole in Reader and Acrobat on Monday.
"This afternoon, Adobe received reports of a vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions being exploited in the wild," the company said in an advisory on its Security Incident Response Team blog. "We are currently investigating this issue and assessing the risk to our customers. We will provide an update as soon as we have more information."
Three different security vendor partners reported the alleged exploit to the company on Monday afternoon, said Adobe spokeswoman Wiebke Lips. She said she could not provide more details.
Last week, Adobe released a critical update affecting Flash Player and Adobe AIR.
Meanwhile, some Macintosh users were reporting on the Adobe Forums site that they were having problems installing an update from October that resolved a critical vulnerability in Adobe Reader and Acrobat 9.1.3 that had reportedly been exploited in the wild.
Updated 6:01 p.m. PST with Mac user problems installing update.
Adobe on Tuesday released a security bulletin that includes fixes for 28 vulnerabilities in Adobe Reader and Acrobat, including a critical hole that has reportedly been exploited in the wild in limited attacks.
Affected software includes version 9.1.3 of Reader and Acrobat; Acrobat 8.1.6 for Windows, Macintosh, and Unix; and version 7.1.3 of Reader and Acrobat for Windows and Macintosh. The vulnerabilities could cause the applications to crash and could allow an attacker to take control of a user's computer.
Adobe recommends that people update to Adobe Reader 9.2 and Acrobat 9.2, or Acrobat 8.1.7 or Acrobat 7.1.4. For Adobe Reader users who cannot update to Adobe Reader 9.2, Adobe has provided the Adobe Reader 8.1.7 and Adobe Reader 7.1.4 updates.
One of the updates addresses a hole that Trend Micro says has been exploited by a Trojan horse that arrives as a PDF file containing malicious JavaScript. That exploit affects Microsoft Windows 98, ME, NT, 2000, XP, and Server 2003, according to Trend Micro.
"All users of Adobe Reader or Acrobat will need to update their software with today's release because these updates include fixes for the most critical kind of bugs," said Andrew Storms, director of security operations at nCircle.
This is Adobe's second quarterly security update for Adobe Reader and Acrobat.
Also on Tuesday, Microsoft issued a security advisory with a record number of bulletins, including the first fixes for critical holes in Windows 7.
A new zero-day exploit targeting Adobe Reader, as well as 9.1.3 and earlier versions of Adobe Systems' Acrobat, drops a backdoor onto computers using JavaScript, Trend Micro researchers warned on Friday.
Trend Micro identified the exploit as a Trojan horse dubbed "Troj_Pidief.Uo" in a blog post. It arrives as a PDF file containing JavaScript-based malware, "Js_Agent.Dt," and then drops a backdoor called "Bkdr_Protux.Bd."
The exploit affects Microsoft Windows 98, ME, NT, 2000, XP, and Server 2003, according to Trend Micro.
The blog post provides technical details on how the malware works, specifically the activity of its shell code, the piece of code that delivers the payload. The JavaScript is used to execute arbitrary codes in a technique known as "heap spraying."
"Based on our findings, the shell code (that was heap-sprayed) jumps to another shell code inside the PDF file" before extracting and executing the backdoor, Trend Micro said. The backdoor "is also embedded in the PDF file and not the usual file downloaded from the Web."
Variants of the Protux backdoor typically provide an attacker unrestricted user-level access to a compromised machine and previously exploited vulnerabilities in Microsoft Office files, according to Trend Micro.
Adobe announced on Thursday that it would release an update to fix the hole on Tuesday, the same day as Microsoft's Patch Tuesday.
This screenshot shows the embedded executable file in the PDF file, after it has been decrypted.
(Credit: Trend Micro)If you're a criminal and you want to break into a network, a common attack method is to exploit a hole in software that exists on most computers, has its fair share of holes, and isn't automatically updated.
In 2002, that would have been Windows. Today, it's likely to be Adobe Reader or Flash Player, whose share of vulnerabilities and exploits are on the rise while Microsoft's is falling.
Nearly half of targeted attacks exploit holes in Acrobat Reader, which is used to read PDF (portable document format) files, according to F-Secure. Meanwhile, the number of PDF files used in dangerous Web drive-by attacks jumped from 128 during the first three and a half months of last year to more than 2,300 during that time this year, the company said.
In addition, there are more and more zero-day holes, vulnerabilities that are public before a patch is available. Like sitting ducks, users of affected software are left wide open to attack until a fix is available.
There have been zero-day exploits for the Flash Player plug-in, used for viewing rich media like videos and interactive charts on Web sites. And in one case this spring, a zero-day hole in Adobe Reader spurred security experts to recommend that users disable JavaScript.
One security researcher at Black Hat last week, who asked to remain anonymous, said: "As a result of the number of zero-day attacks on PDFs this year, large banks hate Adobe."
F-Secure said it identified about 1,967 targeted attack files in 2008, the most popular type being .doc used in Microsoft Word.
(Credit: F-Secure)Those scary statistics prompted F-Secure researcher Mikko Hypponen, chief research officer at F-Secure, to urge Adobe Reader users to switch to an alternative PDF reader at the RSA show in April.
Adobe "has a lot to learn from, of all places, Microsoft," Hypponen said at the time. At the Black Hat and Defcon security shows last week, others concurred.
"Adobe is the next Microsoft," said Roel Schouwenberg, a senior antivirus researcher at Kaspersky. "They are slowly realizing that they have become a main vector of getting into a machine...We as an industry must push hard" to get Adobe to improve security.
An Adobe manager said the problem stems from the fact that it's software is so broadly used.
"It's only natural, given the fact that some of our products like Reader and Flash Player are some of the most widely distributed on Earth, that they would be targeted by attacks," Brad Arkin, director for product security and privacy at Adobe, said in an interview on Wednesday.
Microsoft has been in the same boat, and in many ways still is. The difference is in how the companies respond to the problem, experts said.
Microsoft: Been there, done that
In January 2002, Bill Gates launched the Trustworthy Computing initiative and said security would be a top priority for the company. Microsoft had to do something to combat the negative press and public opinion over its whack-a-mole strategy for countering the viruses and other security holes that plagued its software.
The company established a Security Development Lifecycle program, designed to build security into the software, that has become the standard others in the industry follow. It is roundly lauded for its efforts.
During the first three months of 2009, F-Secure discovered 663 targeted attack files, the most popular type being PDF. The change from the previous year is primarily due to the fact that there have been more vulnerabilities in Adobe Acrobat/Reader than in Microsoft Office, F-Secure said.
(Credit: F-Secure)Now it's Adobe's turn to step up to the plate.
"Microsoft is a model for patch management...they were forced into it. They really turned around," Hypponen said in an interview last week at Black Hat. "Now, Flash and Reader are ubiquitous and it's harder and harder to target Microsoft, so the attackers are looking for easier targets."
In particular, Adobe's patching process isn't as robust as Microsoft's, he and others said.
In all fairness, Adobe is on the right path. Prompted by a zero-day hole in Reader, Adobe decided in May to start releasing patches on a quarterly basis, and to schedule the updates to coincide with Microsoft's Patch Tuesday releases.
At the time of the Adobe announcement, Arkin said the company was reviewing "everything from our security team's communications during an incident to our security update process to the code itself." He also promised that users would "see more timely communications regarding incidents, quicker turnaround times on patch releases, and simultaneous patches for more affected versions as we move forward."
The company was the first third-party vendor to release a fix for software affected by a vulnerability in Microsoft's Active Template Library, which is used to build components for Web applications and which was being exploited, according to Arkin.
"We scoured the entire Adobe portfolio and evaluated more than 200 products in the field today to determine which might be vulnerable," he said, adding that fixes for Shockwave Player and Flash Player shipped within weeks.
A zero-day exploit targeting Reader and Acrobat that Adobe learned about on April 27 was fixed about two weeks later, he said. And Adobe issued a patch last week for a critical Flash Player problem that was being exploited, allowing attackers to take over a computer via content viewed in a browser.
"We are quite happy with the performance on those," Arkin said of the time frame for the patches.
The company also has been turning an eye toward "digging into legacy code" and looking for additional ways to improve products overall he said. "Adobe integrates the best practices you see at Microsoft and other companies."
The security researcher who asked not to be named complained that at an architectural level, some Adobe applications have too much access to the operating system. "Why should something that operates on untrusted data have full access to your trusted data?" he asked, mentioning specifically Adobe Reader and its ability to access the hard drive to read and write files.
The program's functions require it to be able to save and open files on the file system and thus have read and write access to the hard drive, Arkin said. "Web browsers all have the ability to save to the file system," and the privileges between the two types of programs are similar, he added.
Security-versus-functionality trade-offs aside, changes in Adobe's products and processes will come in response to market pressures and not merely because it's the favorite target for attackers, said Bruce Schneier, chief technology officer of BT Counterpane.
"This is all very much a business decision, whether the company decides to take security seriously or not," he said, adding that he spent his day dealing with Adobe updates.
"I'd like to think that they would start realizing that they can use security as a selling point, but it took Linux to get Microsoft to do that. They felt they had competition," he said. "Is there a Linux waiting to affect Adobe?"
Not really, the experts agreed.
Dan Kaminsky, director of penetration testing at IOActive, praised Adobe for "reconfiguring itself" with regards to security issues and suggested critics should cut the company some slack.
"The PDF exploitation only recently blew up, and remember, it takes any software development house a while to really address problems," he said, adding that Flash 9 was much more secure than Flash 8.
"Does Adobe have products they need to lock down? Yes. Are they in the process of doing so? Yes. They did it for Flash and they'll do it for Reader," he said.
"There's always a 'most vulnerable' attack surface."
(Credit:
Adobe)
Adobe said Thursday that it will issue fixes next week for a critical hole in Flash that is being exploited in attacks against Adobe Reader version 9 on Windows.
The vulnerability exists in current versions of Flash Player for Windows, Macintosh, and Linux and the authplay.dll component that ships with Adobe Reader and Acrobat v9.x for those same platforms, Adobe said in an advisory.
The vulnerability could cause a system to crash or allow an attacker to take control of the computer, Adobe said.
An update for Flash Player v9 and v10 for Windows, Mac, and Linux will be released by July 30, while a fix for Solaris is pending. Adobe should have an update for Reader and Acrobat v9.1.2 for Windows, Macintosh, and Unix by July 31.
An attacker can exploit the vulnerability by luring someone to a Web site hosting a specially crafted Shockwave Flash file, US-CERT said in an advisory Thursday.
"The Adobe Flash browser plug-in is available for multiple Web browsers and operating systems, any of which could be affected," CERT said. "An attacker could also create a PDF document that has an embedded SWF file to exploit the vulnerability. This vulnerability is being actively exploited."
The vulnerabilities can be mitigated by disabling the Flash plug-in or by using the NoScript extension for Mozilla Firefox or SeaMonkey to whitelist sites that can access the Flash plug-in, CERT said.
To disable Flash, US-CERT recommends:
• Disabling Flash in Adobe Reader 9 on Windows platforms by renaming the following files: "%ProgramFiles%\Adobe\Reader 9.0\Reader\authplay.dll" and "%ProgramFiles%\Adobe\Reader 9.0\Reader\rt3d.dll".
• Disabling Flash Player or selectively enabling Flash content as described in the "Securing Your Web Browser" document.
"Deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat v9.x mitigates the threat for those products, but users will experience a non-exploitable crash or error message when opening a PDF that contains SWF (Shockwave Flash) content," the Adobe advisory said.
Typically, the authplay.dll that ships with Adobe Reader and Acrobat 9.x for Windows is located at C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll or C:\Program Files\Adobe\Acrobat 9.0]\Acrobat\authplay.dll, Adobe said.
Windows Vista users can mitigate the impact of the exploit by enabling UAC (User Access Control), according to Adobe. Flash Player users should be careful when browsing unfamiliar Web sites.
Researchers on Wednesday reported that they had uncovered attacks in the wild in which malicious Acrobat PDF files were exploiting a vulnerability in Flash and dropping a Trojan onto computers.
The bug used in the exploit has been around since December 2008.
Researchers on Wednesday said they have uncovered attacks in the wild in which malicious Acrobat PDF files are exploiting a vulnerability in Flash and dropping a Trojan onto computers.
The situation could affect tons of users since Flash exists in all popular browsers, is available in PDF files, and is largely operating system-independent.
Any software that uses Flash could be vulnerable to the attack, according to Symantec. Adobe Reader is vulnerable because its Flash interpreter is vulnerable, said Paul Royal, principal researcher at Purewire, a Web security services provider.
In a post on its Web site, Adobe said it "is aware of reports of a potential vulnerability in Adobe Reader and Acrobat 9.1.2 and Adobe Flash Player 9 and 10. We are currently investigating this potential issue and will have an update once we get more information."
"The authors of the exploit have managed to take a bug and turn it into a reliable exploit using a heap spray technique," Patrick Fitzgerald writes on a Symantec Security blog post.
"Typically an attacker would entice a user to visit a malicious Web site or send a malicious PDF via e-mail," he writes. "Once the unsuspecting user visits the Web site or opens the PDF this exploit will allow further malware to be dropped onto the victim's machine. The malicious PDF files are detected as Trojan.Pidief.G and the dropped files as Trojan Horse."
It appears the exploit was first developed about two weeks ago, Royal said. The bug itself has been around since December 2008.
The hole is exploitable on Windows XP and Vista users are protected if User Account Control (UAC) is enabled, Symantec said.
US-CERT offered information about workarounds on its Web site:
• Disable Flash in Adobe Reader 9 on Windows platforms by renaming the following files: "%ProgramFiles%\Adobe\Reader 9.0\Reader\authplay.dll" and "%ProgramFiles%\Adobe\Reader 9.0\Reader\rt3d.dll".
• Disable Flash Player or selectively enable Flash content as described in the "Securing Your Web Browser" document.
Correction 4:05 p.m. PDT: This post initially misstated how often the security updates will be. Adobe plans to issue updates quarterly.
Adobe said on Wednesday it will release quarterly security updates to coincide with Microsoft's Patch Tuesday as part of a new approach to product security for Adobe Reader and Acrobat.
The security updates will be delivered on a second Tuesday once a quarter, beginning this summer, Brad Arkin, director of product security and privacy, wrote in a blog post. Microsoft's Patch Tuesday updates are issued monthly on the second Tuesday.
Adobe security patches released on Patch Tuesdays March 10 and May 12 were coincidental, the post said.
The most recent patch fixed a hole in Flash Media Server 3.5.1 and earlier that could allow an attacker to execute remote procedures in Flash Media Interactive Server or Flash Media Streaming Server.
The March patch fixed a critical vulnerability in Adobe Reader 9 and Acrobat 9 that could allow an attacker to take complete control of a computer and for which exploits had been reportedly found in the wild for nearly two months.
The Adobe Reader issue sparked "a lot of conversation internally at Adobe from executives to testers and developers" and ultimately led to the permanent changes to Adobe's software security approach, Arkin said. "Everything from our security team's communications during an incident to our security update process to the code itself has been carefully reviewed," he wrote.
All new code and features for Adobe Reader and Acrobat have been put through a Secure product Lifecycle that is similar to Microsoft's much-touted Security Development Lifecycle, according to Arkin. Now, Adobe is working on hardening at-risk areas of its legacy code too, he added.
Arkin also promised that people outside the company "will see more timely communications regarding incidents, quicker turnaround times on patch releases, and simultaneous patches for more affected versions as we move forward."
Security issues with Adobe Reader prompted firm F-Secure to suggest that people should switch to an alternate PDF reader at the RSA security conference last month. Just last month another security hole surfaced in Adobe Reader.
