General Discussion

[0-day Adobe Reader and Acrobat exploit in the wild]

FYI...

0-day Adobe Reader and Acrobat exploit in the wild
- http://www.symantec.com/connect/blogs/zero-day-xmas-present
December 14, 2009 - "Earlier today, we received a tip from a source that there is a possible Adobe Reader and Acrobat 0-day vulnerability in the wild. We have indeed -confirmed- the existence of a 0-day vulnerability in these products. The PDF files we discovered arrives as an email attachment. The attack attempts to lure email recipients into opening the attachment. When the file is opened, a malicious file is dropped and run on a fully patched system with either Adobe Reader or Acrobat installed. Symantec products detect the file as Trojan.Pidief.H*. We have reported our findings to Adobe who have acknowledged the vulnerability in this blog**..."

* http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-121422-3337-99

** http://blogs.adobe.com/psirt/2009/12/new_adobe_reader_and_acrobat_v.html
December 14, 2009 - "... vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions being exploited in the wild (CVE-2009-4324)..."

- http://secunia.com/advisories/37690/2/
Last Update: 2009-12-16
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: Adobe Acrobat 9.x, Adobe Reader 9.x ...
...Fixed versions will reportedly be available by January 12, 2010*..."
* http://www.adobe.com/support/security/advisories/apsa09-07.html

- http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20091214
December 14, 2009 - "... this vulnerability is actually in a JavaScript function within Adobe Acrobat [Reader] itself...
Disable JavaScript. Disabling JavaScript is easy. This is how it can be done in Acrobat Reader:
Click: Edit -> Preferences -> JavaScript and uncheck Enable Acrobat JavaScript
... we strongly recommend you disable JavaScript..."

 

[Security Advisory for Adobe Reader and Acrobat]

FYI...

Security Advisory for Adobe Reader and Acrobat
- http://www.adobe.com/support/security/advisories/apsa09-07.html
December 15, 2009 - "... Adobe has confirmed a -critical- vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions... Adobe plans to make available an update to Adobe Reader and Acrobat by January 12, 2010 to resolve the issue...
Customers using Adobe Reader or Acrobat versions 9.2 or 8.1.7 can utilize the JavaScript Blacklist Framework to prevent this vulnerability. Please refer to the TechNote* for more information. Customers who are not able to utilize the JavaScript Blacklist functionality can mitigate the issue by disabling JavaScript in Adobe Reader and Acrobat using the instructions below:
1. Launch Acrobat or Adobe Reader.
2. Select Edit > Preferences
3. Select the JavaScript Category
4. Uncheck the 'Enable Acrobat JavaScript' option
5. Click OK
Customers using Microsoft DEP ("Data Execution Prevention") functionality available in certain versions of Microsoft Windows are at reduced risk..."

* http://kb2.adobe.com/cps/532/cpsid_53237.html

 

[PDF – Pretty Darned Fatal]

FYI...

PDF – Pretty Darned Fatal
- http://www.eset.com/threat-center/blog/2009/12/18/pdf-%E2%80%93-pretty-darned-fatal
December 18, 2009 - "Adobe PDF files were supposed to be a safe alternative to Microsoft Word documents in a time when Microsoft offered no effective protection against macro viruses and had virtually no security model in Office at all. Times change. Microsoft Word documents rarely spread macro viruses and have not for a long time if you are using versions of Word newer than Office XP.
In a dazzling display of arrogant refusal to learn from history, Adobe has configured their products for inferior security by deliberately choosing not to learn security lessons that Microsoft learned years ago.
Security flaws in Adobe reader and Adobe Acrobat are a major problem, but in most cases the technology that allows the exploits to work is JavaScript. Adobe Reader and Acrobat support JavaScript and insanely leave it enabled by default. In practice most PDFs do not require JavaScript and many that do are quite usable without it anyway. If you want to do something simple to help protect yourself against drive-by malware infections – the kind where you simply go to a webpage and get infected, then disable JavaScript in Acrobat and Reader. In Adobe Reader version 9, you go to the edit menu, select preferences, then JavaScript, and then -uncheck- the box that says “Enable Acrobat JavaScript”.
This is how Adobe would set the defaults if they listened to their security experts instead of the marketing department..."

- http://voices.washingtonpost.com/securityfix/2009/12/hackers_exploit_adobe_reader_f.html
December 18, 2009

0-Day Malware Drops Payloads Signed with a Forged Microsoft Certificate
- http://blog.webroot.com/2009/12/15/zero-day-malware-drops-payloads-signed-with-a-forged-microsoft-certificate/
December 15, 2009

 

[Adobe Reader/Acrobat memory corruption vulns]

FYI...

(0-day ...updated) Adobe Reader/Acrobat memory corruption vulns
- http://secunia.com/advisories/37690/
Last Update: 2009-12-29
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched ...
Software: Adobe Acrobat... Reader...
Description:
-Two- vulnerabilities have been reported in Adobe Reader and Acrobat, which can be exploited by malicious people to compromise a user's system.
1) An error in the implementation of the "Doc.media.newPlayer()" JavaScript method can be exploited to corrupt memory and execute arbitrary code via a specially crafted PDF file.
NOTE: This vulnerability is currently being actively exploited.
2) An array indexing error exists in 3difr.x3d when processing U3D CLOD Mesh Declaration blocks. This can potentially be exploited to corrupt memory and execute arbitrary code via a PDF file containing a specially crafted U3D model.
The vulnerabilities are confirmed in version 9.2. Other versions may also be affected...
- http://secunia.com/advisories/37690/2/
"... Solution:
> Do not open untrusted PDF files. Do not browse untrusted websites or follow untrusted links.
> Use the JavaScript Blacklist functionality* to block the "Doc.media.newPlayer()" method. Please see the vendor's advisory for more information.
> Versions fixing vulnerability #1 will reportedly be available by January 12, 2010...
2009-12-29: Added vulnerability #2 to the advisory..."

* http://www.adobe.com/support/security/advisories/apsa09-07.html
"... Customers who are not able to utilize the JavaScript Blacklist functionality can mitigate the issue by disabling JavaScript in Adobe Reader and Acrobat..."

 

[Malicious PDF docs exploiting CVE-2009-4324]

FYI...

Malicious PDF docs exploiting CVE-2009-4324
- http://isc.sans.org/diary.html?storyid=7867
Last Updated: 2010-01-04 06:29:59 UTC - "... Quick analysis of the document confirmed that it is exploiting this vulnerability (CVE-2009-4324 – the doc.media.newPlayer vulnerability). This can be easily seen in the included JavaScript in the PDF document, despite horrible detection (only 6 out of 40 AV vendors detected this when I initially submitted it here*). After extracting the included JavaScript code, the shellcode that it uses looked quite a bit different than what we can usually see in such exploits: this shellcode was only 38 bytes long!... Since this exploit has not been patched yet, I would like to urge you all to, at least, disable JavaScript in your Adobe Reader applications. We are getting more reports about PDF documents exploiting this vulnerability, and it certainly appears that the attackers are willing to customize them to get as many victims to open them as possible. Also keep in mind that such malicious PDF documents can go to a great length when used in targeted attacks – the fake PDF that gets opened can easily fool any user into thinking it was just a mistakenly sent document..."
* http://www.virustotal.com/analisis/40e22d52c00b76ad58c3c8daa644b7cfdc4f07a50718743f8e67e89bab386eab-1262223143
File Requset.pdf received on 2009.12.31 01:32:23 (UTC)
Result: 6/40 (15.00%)

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4324

 

[More on malicious PDF's]

FYI...

More on malicious PDF's
- http://isc.sans.org/diary.html?storyid=7903
Last Updated: 2010-01-07 01:01:21 UTC- "While we are still waiting for the patch and the malicious PDFs which exploit CVE-2009-4324 become more and more nasty, here's another quick excursion in dissecting and analyzing hostile PDF files... we find a recent ThreatExpert analysis http://www.threatexpert.com/report.aspx?md5=b0eeca383a7477ee689ec807b775ebbb that matches perfectly to what we found within this PDF..."

 

[New Obfuscated Scripts in the Wild]

FYI...

New Obfuscated Scripts in the Wild
- http://www.symantec.com/connect/blogs/new-obfuscated-scripts-wild-lgpl
January 8, 2010 - "... One of the sites we saw was originally compromised with the "/*GNU GPL*/" script and was recently updated with the "/*LGPL*/" script... The use of well-known domains in the URL string is an attempt by the attackers to circumvent other protection mechanisms that may be in place... the actual domain resolves to thechocolateweb .ru, -not- the various other domains that appear in the URL... The payload hasn't changed much from last year's attacks. When one visits a compromised site, the malicious JavaScript loads more JavaScript that contains an iframe tag, which opens another page containing two links. One link goes to a PDF file, which is detected as Trojan.Pidief.H or Bloodhound.Exploit.288. The other is to a JAR (Java ARchive) file, which is detected as Downloader. Those two files use the following vulnerabilities to infect the computer with malware:
• Adobe Acrobat and Reader Multiple Arbitrary Code Execution and Security Vulnerabilities (BID 27641)
• Adobe Reader and Acrobat 'newplayer()' JavaScript Method Remote Code Execution Vulnerability (BID 37331)
• Sun Java Runtime Environment and Java Development Kit Multiple Security Vulnerabilities  (BID 32608)
... you may want to consider disabling JavaScript in Adobe Reader... The final payload includes malware like Trojan.Bredolab, Downloader.Fostrem, and Trojan.Zbot, along with security risks such as PrivacyCenter and a number of other misleading applications that may be detected as Trojan.FakeAV. It's important to keep your definition files up-to-date as these files are frequently being updated. We also released a generic detection called Trojan.Malscript.B to catch the new malicious JavaScript, as well as scripts with similar code..."
___

Adobe Reader v9.3 released
- http://boards.cexx.org/index.php?topic=17585.msg80206#new
January 12, 2010

 

[Targeted (PDF) attacks]

FYI...

Targeted (PDF) attacks...
- http://www.f-secure.com/weblog/archives/00001859.html
January 18, 2010 - "F-Secure Labs has learned of another interesting targeted attack. In this case, malicious PDF files were emailed to US defense contractors. While the "Aurora" attacks against Google and others happened in December 2009, this happened just last week. The PDF file was quite convincing and it looked like it came from the Department of Defense... The document talks about a real conference to be held in Las Vegas in March. When opened to Adobe Reader, the file exploited the CVE-2009-4324* vulnerability. This is the doc.media.newPlayer vulnerability that Adobe patched last Tuesday. The exploit dropped a file called Updater.exe (md5: 3677fc94bc0dd89138b04a5a7a0cf2e0). This is a backdoor that connects to IP address 140.136.148.42. In order to avoid detection, it bypasses the local web proxy when doing this connection. Anybody who controls that IP will gain access to the infected computer and the company network. This particular IP is located in Taiwan."
* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4324
"... Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X..."

(Screenshots available at the F-secure URL above.)

 

[Adobe Reader exploit/vuln active in the Wild - CVE-2010-0188]

FYI...

Adobe Reader exploit/vuln active in the Wild - CVE-2010-0188
- http://blogs.technet.com/mmpc/archive/2010/03/08/cve-2010-0188-patched-adobe-reader-vulnerability-is-actively-exploited-in-the-wild.aspx
March 08, 2010 - "While recently analyzing a malicious PDF file, I noticed a vulnerability exploited by the sample which I've never encountered before. After a bit of research I came to the conclusion that this specific sample exploited CVE-2010-0188*. This is a fresh vulnerability, information about which was just published this February. It is described as possibly leading to arbitrary code execution, which is exactly what’s happening. When the PDF file is loaded, Adobe Reader opens and then closes, while an executable file named a.exe is dropped directly onto the C:\ drive. The dropped executable, which is actually embedded into the PDF file, tries to connect to a .biz registered domain to download other files. JavaScript is again used to successfully exploit this vulnerability, so disabling it for unknown documents might be a good idea..."
* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0188
CVSS v2 Base Score: 9.3 (HIGH) - "... Adobe Reader and Acrobat 8.x before 8.2.1 and 9.x before 9.3.1**..."
** http://www.adobe.com/support/security/bulletins/apsb10-07.html

- http://techblog.avira.com/2010/03/09/pdf-exploit-for-recently-closed-security-hole/en/
March 9, 2010

- http://www.f-secure.com/weblog/archives/targeted_attacks_2008_2009_2010.png
March 9, 2010

> http://boards.cexx.org/index.php?topic=17585.msg80409#msg80409

 

[PDF security hole 'Proof of concept' released]

FYI...

PDF security hole 'Proof of concept' released...
- http://www.theregister.co.uk/2010/04/06/wormable_pdfs/
6 April 2010 - "... "wormable PDF" research comes days after another security researcher, Didier Stevens, showed how it was possible to both embed malicious executables in PDFs and manipulate pop-up dialog boxes to trick victims into running a malicious payload. Both Adobe and FoxIT* are working on a fix against the security shortcomings in their respective PDF viewing packages illustrated by the research..."
* http://boards.cexx.org/index.php?topic=17453.msg80691#msg80691

- http://blogs.adobe.com/adobereader/2010/04/didier_stevens_launch_function.html
April 6, 2010 - "...users can use the following method to further mitigate against this risk. For consumers, open up the Preferences panel and click on "Trust Manager" in the left pane. Clear the check box 'Allow opening of non-PDF file attachments with external applications'..."

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4764
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1240
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1241

- http://sunbeltblog.blogspot.com/2010/04/poc-is-out-worm-that-spreads-via-pdfs.html
April 06, 2010

Also:
- http://isc.sans.org/diary.html?storyid=8545
Last Updated: 2010-03-31 19:04:25 UTC
- http://www.f-secure.com/weblog/archives/00001923.html
March 31, 2010

- http://www.eset.com/blog/2010/04/06/pdfs-exploitable-im-shocked
"... Patches are due out April 13th for the Adobe Acrobat Reader..."

- http://boards.cexx.org/index.php?topic=17585.msg80734#msg80734
April 13, 2010

 

[PDF ...used to Install Zeus]

FYI...

PDF ...used to Install Zeus
- http://www.m86security.com/labs/i/PDF-Launch-Feature-Used-to-Install-Zeus,trace.1301~.asp
Apr, 14, 2010 - "Today we began seeing emails... claiming to be from Royal Mail with an attached PDF file... This PDF uses a feature, specified in the PDF format, known as a Launch action. A Launch action is intended to be used to run an application or opening or printing a document. Recently it has been discovered  by a security researcher that this feature can be used to run an executable embedded within the PDF file. This PDF also contains an attachment (PDFs can have an attachment embedded within them, just like emails) named Royal_Mail_Delivery_Notice.pdf which has been compressed inside the PDF file. This attachment is actually an executable file and if run, will install the Zeus bot... When this PDF is opened In Adobe Reader with JavaScript enabled, the exportDataOject function causes a dialog box to be displayed asking the user to “Specify a file to extract to”.  The default file is the name of the attachment, Royal_Mail_Delivery_Notice.pdf. This could be somewhat confusing to users, and not really knowing what is happening, they may just click save (It appears as if they are just saving a PDF file after all). Users of Foxit PDF reader will get no warning and the attachment will be saved to the users Documents folder... Once the exportDataOject function has completed, the Launch action is run. The Launch action is used to execute the Windows command interpreter (cmd.exe) and is given a command line to execute... This command line searches for the previously saved Royal_Mail_Delivery_Notice.pdf file in some commonly used folders such as My Documents and Desktop and then tries to run the file. (Remember that this is actually the executable file). Adobe Reader will pop up the box shown below and the command will only be run it the user clicks ‘Open’. The latest version of Foxit reader (released April 1st - v3.2.1.0401**) will display a similar warning, older versions will go ahead and execute the command without asking... If this command if successfully run, the Zeus data stealing bot is installed..."

(Screenshots available at the URL above.)

- http://www.m86security.com/newsImages/TRACE/adobeLaunch.PNG
DO NOT OPEN (Image shown)

Zbot campaign comes in a PDF
- http://securitylabs.websense.com/content/Alerts/3593.aspx
04.14.2010
* http://www.virustotal.com/analisis/95638f2fedf39f97c30394bb26603b4252f5d14334bcff73a8fc951de1501d09-1271254281
File sdra64.exe received on 2010.04.14 14:11:21 (UTC)
Result: 8/40 (20%)

Adobe v9.3.2 Reader update
- http://boards.cexx.org/index.php?topic=17585.msg80734#msg80734
April 13, 2010

Foxit v3.2.1.0401 Reader update
** http://boards.cexx.org/index.php?topic=17453.msg80691#msg80691

 

[ISS - aftermath of doc.pdf, statistics, payload, and spam]

FYI...

ISS - aftermath of doc.pdf, statistics, payload, and spam
- http://blogs.iss.net/archive/aftermathofdocpdf.html
May 03, 2010 - "It looks like the onslaught of spam email containing doc.pdf is mostly behind us... At the peak of the attacks, we received 85,000+ alerts in a single day, even if the attacker was successful at a 10% rate of infection that’s easily 8500 infections. This is not even considering the amount of these attacks worldwide which would be assumed in the millions... The SPAM email was sent from various SMTP servers globally, which appears to be originating from a botnet, looking to expand its troops... yet another potentially huge Zeus/Zbot botnet was created or expanded all through spam email. Zeus is a force to be reckoned with its expanding and updated code base into version 2.0. Zeus version 2.0 has new infection measures, new encryption, windows 7 support and a long list of new features. The evolving threat is not going away anytime soon, so we must all remain vigilant in protecting our networks."

 

[Adobe Flash/Acrobat/Reader vulns]

FYI...

Adobe Flash/Acrobat/Reader vulns

- http://www.symantec.com/connect/blogs/0-day-attack-wild-adobe-flash-reader-and-acrobat
June 6, 2010 - "We have confirmed the attacks that are exploiting the vulnerability (CVE-2010-1297) Adobe announced on its security advisory* are in the wild. The exploit takes advantage of an unpatched vulnerability in Flash Player, Adobe Reader, and Acrobat, and affects users regardless of whether they use Windows, Macintosh, Solaris, Linux, or UNIX... Attacks can take place in various situations with a few listed below:
• Receiving an email with a malicious PDF attachment.
• Receiving an email with a link to the malicious PDF file or a website with the malicious SWF imbedded in malicious HTML code.
• Stumbling across a malicious PDF or SWF file when surfing the web..."

- http://krebsonsecurity.com/2010/06/adobe-warns-of-critical-flaw-in-flash-acrobat-reader/
June 5, 2010

- http://blog.trendmicro.com/zero-day-flashacrobat-exploit-seen-in-the-wild/
June 5, 2010

- http://blogs.adobe.com/psirt/2010/06/security_advisory_for_adobe_re.html
June 4, 2010

Adobe Flash Player vuln
- http://secunia.com/advisories/40026/
Release Date: 2010-06-05
Criticality level: Extremely critical
Impact: System access
Where: From remote
Solution Status: Vendor Workaround
Software: Adobe Flash Player 10.x, Adobe Flash Player 9.x ...
NOTE: The vulnerability is reportedly being actively exploited.
Solution: Reportedly, the latest version 10.1 Release Candidate is not affected...
- http://labs.adobe.com/downloads/flashplayer10.html
Reported as a 0-day.
Original Advisory: Adobe:
* http://www.adobe.com/support/security/advisories/apsa10-01.html

Adobe Reader/Acrobat vuln
- http://secunia.com/advisories/40034/
Release Date: 2010-06-05
Criticality level: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched ...
NOTE: The vulnerability is currently being actively exploited.
Solution: Delete, rename, or remove access to authplay.dll to prevent running SWF content in PDF files...
Reported as a 0-day.

 

[Status update: Adobe vulnerabilities - exploits-in-the-wild]

FYI...
___

Status update: Adobe vulnerabilities - exploits-in-the-wild ...
- http://www.adobe.com/support/security/advisories/apsa10-01.html
Last updated: June 8, 2010 - "... We are in the process of finalizing a fix for the issue, and expect to provide an update for Flash Player 10.x for Windows, Macintosh, and Linux by June 10, 2010. The patch date for Flash Player 10.x for Solaris is still to be determined.
We expect to provide an update for Adobe Reader and Acrobat 9.3.2 for Windows, Macintosh and UNIX by June 29, 2010..."

- http://atlas.arbor.net/briefs/index#-1218073436
Title: Adobe Flash, Reader, and Acrobat 0day authplay Vulnerability
Severity: Extreme Severity
June 09, 2010 - "Analysis: This is an active, critical issue being exploited in the wild. We have multiple sources of these attacks with minimal AV detection. We encourage sites to investigate remediation steps immediately to address this."
Source: http://www.us-cert.gov/cas/techalerts/TA10-159A.html

- http://www.f-secure.com/weblog/archives/00001963.html
June 8, 2010 - "... spam run pushing a PDF exploit... screenshot of the PDF attachment..."

Adobe 0-day used in targeted attacks  
- http://community.websense.com/blogs/securitylabs/archive/2010/06/09/how-the-adobe-0-day-is-used-in-attacks.aspx
9 Jun 2010

- http://www.kb.cert.org/vuls/id/486225
Date Last Updated: 2010-06-09

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1297
Last revised: 06/09/2010
CVSS v2 Base Score: 9.3 (HIGH)

Mitigations for Adobe vulnerability: CVE-2010-1297
- http://www.sophos.com/blogs/sophoslabs/?p=9954
June 8, 2010 - "...
1. Renaming authplay.dll: Our testing shows that this workaround, at least for this sample, works successfully (as claimed by Adobe). Acrobat will work normally on regular PDFs, but on exploited files (and potentially others with embedded SWF files), it will crash, but the exploit will fail.
2. Disabling JavaScript: As recommended previously, disabling JavaScript in Acrobat Reader is another workaround for this sample (since it relies on JavaScript to create the shellcode).
3. Alternative PDF reader: The exploit depends upon embedded SWF content, so PDF readers which ignore this ought to be safe..."

 

[Adobe Flash v10.1.53.64 released]

FYI...

Adobe Flash v10.1.53.64 released
- http://boards.cexx.org/index.php?topic=17585.msg80966#msg80966
June 10, 2010

Adobe Reader/Acrobat v9.3.3 released
- http://boards.cexx.org/index.php?topic=17585.msg81046#msg81046
June 29, 2010