Adobe on January 12 will patch a critical hole in Reader and Acrobat that is being exploited in attacks. That date is the company's next scheduled quarterly security update release.
The zero-day hole, which affects Reader and Acrobat versions 9.2 and earlier, could crash the system and allow an attacker to take control of the computer.
Malicious Adobe Acrobat PDF files are distributed via an e-mail attachment that, when opened, executes a Trojan that targets Windows systems, according to Symantec. The rate of infection is extremely limited and the risk assessment level is very low, the company said.
Adobe decided to issue the patch in cycle in about four weeks rather than work on an earlier patch release because that would take between two and three weeks to deliver and would put the regular quarterly update off schedule, the company said in a blog post.
"The team determined that by putting additional resources over the holidays towards the engineering and testing work required to ship a high confidence fix for this issue with low risk of introducing any new problems, they could deliver the fix as part of the quarterly update on January 12, 2010," Adobe's Brad Arkin wrote.
In the meantime, customers can use a new JavaScript Blacklist mitigation feature that allows for easy disabling of JavaScript, Arkin said.
"Additionally, an informal poll we conducted indicated that most of the organizations we talked with were in favor of [releasing the patch in cycle] to better align with their schedules," he wrote.
Meanwhile, Webroot analyzed the payload of the malware and found that it installs three files that look like Windows system files that are digitally signed with a forged Microsoft certificate. Unlike legitimate Microsoft-signed certificates, these lack an e-mail address and a time stamp, the company said in a blog post.
"Authors of Trojan horse apps rarely go to the trouble of digitally signing files in this way," writes Webroot researcher Andrew Brandt. "It's not clear why they would be digitally signing files, but clearly the person or people behind this are up to no good."
Updated 3:50 p.m. PST with Webroot finding forged Microsoft certificates in the malware.
Adobe warned of reports of an attack exploiting a hole in Reader and Acrobat on Monday.
"This afternoon, Adobe received reports of a vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions being exploited in the wild," the company said in an advisory on its Security Incident Response Team blog. "We are currently investigating this issue and assessing the risk to our customers. We will provide an update as soon as we have more information."
Three different security vendor partners reported the alleged exploit to the company on Monday afternoon, said Adobe spokeswoman Wiebke Lips. She said she could not provide more details.
Last week, Adobe released a critical update affecting Flash Player and Adobe AIR.
Meanwhile, some Macintosh users were reporting on the Adobe Forums site that they were having problems installing an update from October that resolved a critical vulnerability in Adobe Reader and Acrobat 9.1.3 that had reportedly been exploited in the wild.
Updated 6:01 p.m. PST with Mac user problems installing update.
Microsoft on Monday said it is investigating a possible vulnerability in Internet Explorer after exploit code that allegedly can be used to take control of computers, if they visit a Web site hosting the code, was posted to a security mailing list.
Microsoft confirmed that the exploit code affects IE 6 and IE 7, but not IE 8, and it said it is "currently unaware of any attacks trying to use the claimed vulnerability or of customer impact," according to a statement.
The exploit code was published to the BugTraq mailing list on Friday with no explanation.
"The exploit targets a vulnerability in the way Internet Explorer uses Cascading Style Sheet (CSS) information. CSS is used in many Web pages to define the presentation of the sites' content," Symantec wrote in a blog post this weekend.
"The exploit currently exhibits signs of poor reliability, but we expect that a fully functional, reliable exploit will be available in the near future," Symantec said. Symantec urges IE users to keep their antivirus software up-to-date, disable JavaScript, and visit only trusted Web sites, until Microsoft issues a patch for the hole.
Anyone believed to have been affected can visit Microsoft's Consumer Security Support Center, report it to the Internet Crime Complaint Center, and contact the FBI or law enforcement in the particular country, Microsoft said. U.S. residents can also call Microsoft's PC Safety Customer Service and Support number at 1-866-727-2338.
In July, critical holes in IE prompted Microsoft to issue a rare out-of-cycle (in other words, pre-Patch Tuesday) fix.
In war and possibly in peace, China will wage cyberwar to control the information flow and dominate the battle space, according to a new report compiled for a congressional commission.
Chinese military strategists see information dominance as the key to overall success in future conflicts and will continue to expand the country's computer network exploitation capabilities, according to the report, titled "Capability of the People's Republic of China to Conduct Cyber Warfare and Computer Network Exploitation." The report was prepared for the U.S.-China Economic and Security Review Commission under contract by Northrop Grumman's Information Systems Sector.
In a conflict, China will likely target the U.S. government and private industry with long-term, sophisticated computer network exploitation and intelligence collection campaigns, the report concludes. U.S. security agencies can expect to face disciplined, standardized operations; sophisticated techniques; high-end software; and a deep knowledge of the U.S. networks, according to the report (PDF).
The strategy employed by the People's Liberation Army--China's military organization--is to consolidate computer network attacks with electronic warfare and kinetic strikes, creating "blind spots" in enemy systems to be exploited later as the tactical situation warrants, according to the report. The strategy, which has been adopted by the world's other technologically inclined armies, is referred to by the PLA as "Integrated Network Electronic Warfare," the report stated.
The emphasis on information warfare has forced the PLA to recruit from a wide swath of the civilian sector, according to the report. As is the case with the U.S. military and its new Cyber Command, the PLA looks to commercial industry and academia for people possessing the requisite specialized skills and pasty pallor to man the keyboards. And although it hints broadly at it, the report offers no evidence of ties between the PLA and China's hacker community.
The U.S.-China Economic and Security Review Commission reports and provides recommendations to Congress on the national security implications of the bilateral trade and economic relationship between the United States and the People's Republic of China.
A new zero-day exploit targeting Adobe Reader, as well as 9.1.3 and earlier versions of Adobe Systems' Acrobat, drops a backdoor onto computers using JavaScript, Trend Micro researchers warned on Friday.
Trend Micro identified the exploit as a Trojan horse dubbed "Troj_Pidief.Uo" in a blog post. It arrives as a PDF file containing JavaScript-based malware, "Js_Agent.Dt," and then drops a backdoor called "Bkdr_Protux.Bd."
The exploit affects Microsoft Windows 98, ME, NT, 2000, XP, and Server 2003, according to Trend Micro.
The blog post provides technical details on how the malware works, specifically the activity of its shell code, the piece of code that delivers the payload. The JavaScript is used to execute arbitrary codes in a technique known as "heap spraying."
"Based on our findings, the shell code (that was heap-sprayed) jumps to another shell code inside the PDF file" before extracting and executing the backdoor, Trend Micro said. The backdoor "is also embedded in the PDF file and not the usual file downloaded from the Web."
Variants of the Protux backdoor typically provide an attacker unrestricted user-level access to a compromised machine and previously exploited vulnerabilities in Microsoft Office files, according to Trend Micro.
Adobe announced on Thursday that it would release an update to fix the hole on Tuesday, the same day as Microsoft's Patch Tuesday.
This screenshot shows the embedded executable file in the PDF file, after it has been decrypted.
(Credit: Trend Micro)
A security hole in Internet Explorer that opened the browser to hackers since early July was caused by a single typo in Microsoft's code.
An errant ampersand ("&") took the blame for the exploit, admitted Microsoft in a blog published Tuesday at its Security Development Lifecycle (SDL) Web site.
Michael Howard, a security program manager at Microsoft, explained in his blog that the typo corrupted the code of an ActiveX control used by the browser. The control was created by Microsoft using an older library of code, which Howard admitted has flaws. Because of those flaws, the typo caused the code to write untrusted data, exposing the browser to the bad guys.
Outside of its regular Patch Tuesday routine, Microsoft issued an emergency fix for IE, which it said would block attempts to exploit the flaw in ActiveX controls.
Development tools like Microsoft's own Visual Studio use the same library of code, known as Active Template Library (ATL). On the same day it released the emergency patch for IE, the company also released a Visual Studio fix.
Howard said the typo would have been difficult to spot in a review of the code, and that none of Microsoft's code analysis methods would have uncovered it either.
In his blog, Howard played a high-tech version of "Where's Waldo?" by challenging readers to find the typo amid a few short lines of code, even hinting that it was a single character.
The code lines he listed were:
__int64 cbSize;
hr = pStream->Read((void*) &cbSize, sizeof(cbSize), NULL);
BYTE *pbArray;
HRESULT hr = SafeArrayAccessData(psa, reinterpret_cast
hr = pStream->Read((void*)&pbArray, (ULONG)cbSize, NULL);
And his riddle for readers:
"I'll give you one more clue - it's a one character typo. Give up? Look at the last line. The first argument is incorrect. It should be: hr = pStream->Read((void*)pbArray, (ULONG)cbSize, NULL);"
The hole was originally uncovered earlier this month by a pair of German researchers. Thomas Dullien (also known as Halvar Flake), CEO of Zynamics GmbH, and his friend Dennis Elser detailed their discovery in a blog. After the exploit became known, the two did some digging into the code and found the unwanted "&" character.
So what will Microsoft do to guard against future typos?
In his blog, Howard acknowledged the need to clean up the company's coding process. He said that Microsoft will update the tools it uses to find these types of errors. The company will also require its programmers to use the newer ATL code. In the past, Microsoft never told its programmers what to use. But says Howard in his blog, "We're going to change that!"
(Credit:
Adobe)
Adobe said Thursday that it will issue fixes next week for a critical hole in Flash that is being exploited in attacks against Adobe Reader version 9 on Windows.
The vulnerability exists in current versions of Flash Player for Windows, Macintosh, and Linux and the authplay.dll component that ships with Adobe Reader and Acrobat v9.x for those same platforms, Adobe said in an advisory.
The vulnerability could cause a system to crash or allow an attacker to take control of the computer, Adobe said.
An update for Flash Player v9 and v10 for Windows, Mac, and Linux will be released by July 30, while a fix for Solaris is pending. Adobe should have an update for Reader and Acrobat v9.1.2 for Windows, Macintosh, and Unix by July 31.
An attacker can exploit the vulnerability by luring someone to a Web site hosting a specially crafted Shockwave Flash file, US-CERT said in an advisory Thursday.
"The Adobe Flash browser plug-in is available for multiple Web browsers and operating systems, any of which could be affected," CERT said. "An attacker could also create a PDF document that has an embedded SWF file to exploit the vulnerability. This vulnerability is being actively exploited."
The vulnerabilities can be mitigated by disabling the Flash plug-in or by using the NoScript extension for Mozilla Firefox or SeaMonkey to whitelist sites that can access the Flash plug-in, CERT said.
To disable Flash, US-CERT recommends:
• Disabling Flash in Adobe Reader 9 on Windows platforms by renaming the following files: "%ProgramFiles%\Adobe\Reader 9.0\Reader\authplay.dll" and "%ProgramFiles%\Adobe\Reader 9.0\Reader\rt3d.dll".
• Disabling Flash Player or selectively enabling Flash content as described in the "Securing Your Web Browser" document.
"Deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat v9.x mitigates the threat for those products, but users will experience a non-exploitable crash or error message when opening a PDF that contains SWF (Shockwave Flash) content," the Adobe advisory said.
Typically, the authplay.dll that ships with Adobe Reader and Acrobat 9.x for Windows is located at C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll or C:\Program Files\Adobe\Acrobat 9.0]\Acrobat\authplay.dll, Adobe said.
Windows Vista users can mitigate the impact of the exploit by enabling UAC (User Access Control), according to Adobe. Flash Player users should be careful when browsing unfamiliar Web sites.
Researchers on Wednesday reported that they had uncovered attacks in the wild in which malicious Acrobat PDF files were exploiting a vulnerability in Flash and dropping a Trojan onto computers.
The bug used in the exploit has been around since December 2008.
Researchers on Wednesday said they have uncovered attacks in the wild in which malicious Acrobat PDF files are exploiting a vulnerability in Flash and dropping a Trojan onto computers.
The situation could affect tons of users since Flash exists in all popular browsers, is available in PDF files, and is largely operating system-independent.
Any software that uses Flash could be vulnerable to the attack, according to Symantec. Adobe Reader is vulnerable because its Flash interpreter is vulnerable, said Paul Royal, principal researcher at Purewire, a Web security services provider.
In a post on its Web site, Adobe said it "is aware of reports of a potential vulnerability in Adobe Reader and Acrobat 9.1.2 and Adobe Flash Player 9 and 10. We are currently investigating this potential issue and will have an update once we get more information."
"The authors of the exploit have managed to take a bug and turn it into a reliable exploit using a heap spray technique," Patrick Fitzgerald writes on a Symantec Security blog post.
"Typically an attacker would entice a user to visit a malicious Web site or send a malicious PDF via e-mail," he writes. "Once the unsuspecting user visits the Web site or opens the PDF this exploit will allow further malware to be dropped onto the victim's machine. The malicious PDF files are detected as Trojan.Pidief.G and the dropped files as Trojan Horse."
It appears the exploit was first developed about two weeks ago, Royal said. The bug itself has been around since December 2008.
The hole is exploitable on Windows XP and Vista users are protected if User Account Control (UAC) is enabled, Symantec said.
US-CERT offered information about workarounds on its Web site:
• Disable Flash in Adobe Reader 9 on Windows platforms by renaming the following files: "%ProgramFiles%\Adobe\Reader 9.0\Reader\authplay.dll" and "%ProgramFiles%\Adobe\Reader 9.0\Reader\rt3d.dll".
• Disable Flash Player or selectively enable Flash content as described in the "Securing Your Web Browser" document.
Updated 12:30 p.m. PDT with ZoneAlarm discount offer and 11:50 a.m. PDT with comment from security vendors.
Microsoft on Tuesday closed security holes in Excel, Windows, and Word that had been exploited in the wild as well as other holes for which exploit code or details exist, all as part of its monthly patch update cycle.
The critical Excel hole could allow an attacker to take complete control of an unpatched system if a user opens a specially crafted Excel file. Security firm Symantec said in February that it had discovered malicious files in the wild in Japan that attempt to exploit the Excel Unspecified Remote Code Execution Vulnerability.
The patch affects Microsoft Office, 2002, 2003, and 2007, as well as Microsoft Office 2004 and 2008 for the Mac, according to the Microsoft bulletin.
Microsoft also released a patch for a critical vulnerability in WordPad and Office that could allow remote code execution if a specially crafted file is opened in WordPad or Microsoft Word. This vulnerability is currently being exploited on the Internet, Microsoft said. It affects Windows 2000, Windows XP, Windows XP Professional, Windows Server 2003, Microsoft Office Word 2000 and Word 2002.
Another patch fixes four critical vulnerabilities in Internet Explorer that could allow remote code execution if a user views a specially crafted Web page or if a user connects to an attacker's server via HTTP. Exploit code and attack details have been made public for a couple of the vulnerabilities. Affected software is IE 5, 6, and 7.
A patch for Microsoft DirectShow closes a critical vulnerability that could allow an attacker to take complete control of a system if a user opened a specially crafted MJPEG file. It affects DirectX 8 and DirectX 9.
A fifth patch addresses critical vulnerabilities in Windows HTTP services that could allow an attacker to take complete control of the system and for which exploit tools and code have been made public. Affected are Windows 2000, Windows XP, Windows XP Professional, Windows Vista, Windows Server 2003, and Server 2008.
Also fixed are important holes in Windows being exploited in the wild that could allow elevation of privilege if an attacker is allowed to log on to a system and run a specially crafted application. Windows 2000, Windows XP, Windows XP Professional, Windows Vista, Windows Server 2003, and Server 2008 are affected.
Other patches address less critical holes in Microsoft Internet Security and Acceleration Server 2004 and 2006 and the medium business edition of Forefront Threat Management Gate, as well as SearchPath. Attack details have been made public for the SearchPath blended threat vulnerability. It affects Windows 2000, Windows XP, Windows XP Professional, Windows Vista, Windows Server 2003, and 2008.
In all, Microsoft issued eight patches for about two dozen reported vulnerabilities.
"We were astonished to see how many zero-days are in that release," said Wolfgang Kandek, chief technology officer of Qualys, in reference to exploits that target software with a vulnerability that has not been patched yet.
"Ten of the vulnerabilities have either exploits out in the wild or there is proof-of-concept code available and that's a first, I think, in terms of the number of zero days in a single bulletin," he said. "For the IT guys, that means their window has just shrunk to zero to get these things fixed."
The IE vulnerability is of particular concern, Ben Greenbaum, senior research manager at Symantec Security Response, said in an e-mail statement. It "appears to be the easiest of the bunch to take advantage of by an attacker and also happens to be the one that requires the least amount of involvement by a user to exploit. An attacker can simply lure a victim into viewing a Web page that contains malicious content and that individual's computer can then be taken over."
Missing from the bulletin was a fix for a zero-day hole in PowerPoint that Microsoft warned on April 2 had been targeted by attackers.
In honor of Patch Tuesday, Check Point Software technologies said it was selling a full version of its ZoneAlarm Internet Security Suite for $9.95 instead of $49.95. The sale runs for 24 hours starting at 6 a.m. PDT on Tuesday. Check Point said it will donate half of the proceeds to non-profit TechSoup Global.
(Credit:
Adobe)
Adobe Systems on Tuesday issued a security update to fix a critical vulnerability in Adobe Reader 9 and Acrobat 9 that could allow an attacker to take complete control of a computer and for which exploits had been reportedly found in the wild for nearly two months.
Adobe alerted users about the vulnerability more than two weeks ago and promised to have a security update for it by March 11.
Basically, attackers can take advantage of a hole on unpatched systems to overwrite memory with a buffer overflow and install a backdoor through which to control the system remotely.
In its advisory, Adobe said it plans to provide security updates for Adobe Reader 7 and 8 and Acrobat 7 and 8 by March 18 and for Adobe Reader 9.1 for Unix by March 25.
Meanwhile, US-CERT said on Tuesday it is aware of public reports of two new attack vectors for the vulnerability involving the Windows Indexing Service that indexes PDF files and the Windows Explorer Shell Extension.
The vulnerability can be exploited with little or no user interaction if the Windows Indexing Service processes a malicious PDF file stored on the system or Windows Explorer displays a folder containing a malicious PDF file, the CERT advisory said.
Earlier in the day, Microsoft issued updates for a number of critical and important vulnerabilities in Windows as part of this month's Patch Tuesday.
One security expert complained that Adobe was late to acknowledge the vulnerability and uncommunicative about the issue since it arose.
"Having the patch early is a huge benefit, but releasing it on the same day as Microsoft's planned March patch spells disaster for enterprise resource planning, and it still leaves Adobe with a black eye for lack of communication," said Andrew Storms, director of security operations for nCircle, a network and compliance automation firm.
Adobe representatives did not immediately respond Tuesday to phone calls and e-mails seeking comment.
