Computer Security Articles

A little earlier as announced, Adobe released updated versions of Adobe Acrobat and Reader. These programs were vulnerable to the Flash Player zero-day-vulnerability as well, which was fixed last week already. As the vulnerability is rated critical, users of Acrobat and Reader should download and install the updates as soon as possible.

The updated version for Adobe Reader is available in the Download Center. For Acrobat, the new releases are linked in the refreshed security advisory.

Dirk Knop
Technical Editor
techblog.avira.com

If you’re an organisation that is making public an internal document, you best make sure that you have deleted or blacked out any personal, confidential or actionable information.

The act of obscuring the sensitive information is known as “redaction”, and – for obvious reasons – needs to be done properly if you care about privacy and avoiding a potentially damaging data leak.

In the old days – before PDFs and Word documents – you might have redacted a document with a thick black marker pen, ensuring that anyone who made a photocopy of the document wouldn’t be able to see the censored words. Things are different with electronic media, of course.

Unfortunately, time and time again we’ve seen sloppy security procedures make it far too easy for unauthorised parties to view information in electronic documents that should have been properly redacted.

The last example which has made numerous newspaper headlines, involves the British Ministry of Defence, which was found to have published a PDF document online, unintentionally revealing information about nuclear submarine security.

The PDF, entitled “SUCCESSOR SSBN – SAFETY REGULATORS’ ADVICE ON THE SELECTION OF THE PROPULSION PLANT IN SUPPORT OF THE FUTURE DETERRENT REVIEW NOTE”, was published on the parliamentary website following requests under the Freedom of Information Act. However, although sections were supposed to be protected through redaction – it was possible to copy-and-paste the blacked-out text straight out of it.

Quack quack oops!

As the Daily Star explained:

The bunglers turned the text background black - making the words unreadable - but crucially left them in place. That meant anyone wanting to read the censored sections just had to copy the text.

This was a real school-boy error to make – as anyone with even an -elementary knowledge of computers would know how to read the “redacted” content.

If you want to learn how to properly redact Adobe PDF files, here’s a great guide describing how to do it with Acrobat X Pro.

Good luck, and remember that simply marking text will not actually remove it from your sensitive PDFs. You also have to apply redactions!

Just a short notice on the now available Adobe Flash Player Update: Version 10.2.159.1 has been released which fixes the critical security vulnerability which allow attackers to infect computers with malware – just with luring victims onto hacked websites, for example. The update is available for Windows, Mac, Linux and Solaris in Adobe’s Download Center. Users and administrators should install the new version immediatly!

Dirk Knop
Technical Editor
techblog.avira.com

Adobe is planning to patch the recently disclosed Flash Player vulnerability on Friday for users on Windows, Mac OS X and Linux. The vulnerability is being used in targeted attacks right now that use malicious Word documents.

Adobe said on Wednesday night that it plans to push out the Flash Player patch for Google Chrome today, as part of the Chrome release channel. A separate patch for Adobe Acrobat X for Windows and Mac, Reader X for Mac and Reader 9.x for Windows and Mac on April 25.

The company is planning to wait until June to release a patch for the Flash Player bug in Reader X for Windows because the sandbox in that application prevents exploitation of the vulnerability. The patch for Chrome will be available earlier than the others thanks to Adobe’s relationship with Google.

“During our response to any zero-day vulnerability, Adobe seeks to protect as many users as quickly as possible. As part of our collaboration with Google, Google receives updated builds of Flash Player for integration and testing. Once testing is completed for Google Chrome, the release is pushed via the Chrome auto-update mechanism. Adobe is testing the fix across all supported configurations of Windows, Macintosh, Linux, Solaris and Android (more than 60 platforms/configurations altogether) to ensure the fix works across all supported configurations. Typically, this process takes slightly longer and, in this case, is expected to complete on April 15 for Flash Player for Windows, Macintosh, Linux and Solaris,” the company said in a statement.

When they disclosed the vulnerability earlier this week, Adobe officials warned customers that the vulnerability was already being used in targeted attacks that were leveraging malicious Flash files embedded in Microsoft Word documents. Microsoft security engineers analyzed the attacks and found that the attackers are using a complex exploit routine to build shellcode and then inject the exploit code into the Flash Player.

This is good news – for the recently acknowledged zero-day security vulnerability within Adobe Flash Player, Acrobat and Reader there will be a first update available tomorrow. Adobe updated their security advisory on that matter to reflect the update schedule – the Flash Player update fixing the vulnerability for Windows, Mac, Linux and Solaris will be available tomorrow, Friday, April 15.

For the also vulnerable Adobe Reader and Acrobat, updates are planned “no later than the week of April 25, 2011″. The only exception is Adobe Reader X for Windows which will be updated on the regular planned Patchday on June 14, as the integrated sandbox prevents successful exploitation there according to Adobe.

Please be prepared to download and install the update tomorrow as soon as it is available!

Dirk Knop
Technical Editor

When Adobe warned customers earlier this week about a newly discovered vulnerability in the Flash Player software, company officials said that there were already attacks underway against the bug. Those attacks are using malicious Flash files buried in Word documents and Microsoft’s security engineers have analyzed the exploits and found some interesting details.

This is the second serious Flash vulnerability in recent weeks that attackers have targeted through the use of malicious Office files. In a previous round of attacks, hackers were going after an earlier Flash zero day with rigged Excel files. This time, Microsoft officials said, not only is the bug different, but so is the attack. Though both attacks use malicious Office files to trick users, the details are dissimilar.

The attack presents to the user via a spam message, often with a subject line referencing the Fukushima nuclear disaster, and carrying a malicious Word document as an attachment.

“Once a user opens the document, Flash Player will load the malicious
file and exploitation will occur. Unlike the previous vulnerability, a
bug in the ActionScript Virtual Machine version 1 is now used in the
exploitation process. Another difference is that this is not a result of
fuzzing clean files. We won’t disclose any detail on what triggers the
vulnerability, for security reasons, obviously,” Marian Radu, Daniel Radu and Jaime Wong of the Microsoft Malware Protection Center wrote in an analysis of the Flash exploit attempts.

“In order to exploit this vulnerability the attackers packaged the
AVM1 code inside an AVM2 based Flash file. The latter is embedded inside
the Word document and assigned with setting up the exploitation
environment. Initially the AVM2 code constructs a heap-spray buffer made of a NOP-sled.”

The next step is the construction of the shellcode, which in turn then loads the Flash exploit code inside the Flash Player.

“The AVM1 code that triggers this vulnerability is loaded as a separate
SWF file, converted from a hex-encoded embedded string and executed,” the researchers said.

The shellcode performs some other tasks, as well, including installing a benign Word document on the compromised machine as a way of hiding the original malicious file.

This attack method is essentially the one that the attackers used to compromise RSA last month and steal some data related ot the company’s SecurID product line.

An exploit for another zero-day vulnerability in Adobe Flash Player was very recently found just a couple of weeks after Adobe patched a similar critical vulnerability, which was actively exploited and used for attacks.

According to the security advisory Adobe released, the vulnerability identified as APSA11-02 is currently being exploited in the wild in the form of an .SWF file embedded in a Microsoft Word document. According to reports, the said exploit was also being distributed through email. We are currently trying to find more information on the nature of the email messages through which the exploit arrives.

We were able to analyze a sample of the Microsoft Word document wherein the exploit was embedded. The document bears the file name Disentangling_Industrial_Policy_and_Competition_Policy.doc and is now detected as TROJ_MDROP.WMP. It contains an .SWF file, which is now detected as SWF_EXPLOIT.WMP. SWF_EXPLOIT.WMP, when decrypted, is actually a backdoor program that is, in turn, detected as BKDR_SHARK.WMP.

Software affected by this vulnerability include:

• Adobe Flash Player 10.2.153.1 and earlier versions for Windows, Macintosh, Linux, and Solaris OSs
• Adobe Flash Player 10.2.154.25 and earlier for Chrome users
• Adobe Flash Player 10.2.156.12 and earlier for Android users
• The Authplay.dll component that is shipped with Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh OSs

Adobe has yet to release a patch for this vulnerability.

The way this exploit arrives in users’ systems is very similar to the one used for APSA11-01. Both exploits arrive as .SWF files embedded in Microsoft Office documents (the previous one is embedded in Microsoft Excel spreadsheets). Such kind of threats, when used for sophisticated schemes like targeted attacks, can cause a lot of damage. It could be recalled that APSA11-01 was reportedly used in several attacks, including one related to the Japanese earthquake and to the breach that affected RSA.

As this vulnerability remains unpatched, there is a huge possibility that it will be used for malware attacks. Users are strongly advised to practice extreme caution in dealing with email messages (especially those that come with attachments) from unverified sources.

Post from: TrendLabs | Malware Blog – by Trend Micro

Another Adobe Flash Zero-Day Found, Embedded in Word Documents

About a month ago, we blogged about an Adobe Flash Player vulnerability (CVE-2011-0609) that was actively exploited in the wild. That exploit was hidden inside a Microsoft Excel document. Over the weekend, a new Adobe Flash Player 0-day (CVE-2011-0611) was reported by Adobe in a recent advisory (APSA11-02).

It all started with spam emails enticing users to open its attachment, typically a Microsoft Word document (or a zip file of a Microsoft Word document), which contained the malicious Flash exploit inside.  Most of the files we have captured with our signature are named:

• Fukushima .doc
• evaluation about Fukushima Nuclear Accident.zip
• 首場政見會後最新民調略升-蔡英文粉絲團~聲援 .doc
• 日志分析.doc

Inside the .doc file a malformed Adobe Flash file is embedded. Once a user opens the document, Flash Player will load the malicious file and exploitation will occur. Unlike the previous vulnerability, a bug in the ActionScript Virtual Machine version 1 is now used in the exploitation process. Another difference is that this is not a result of fuzzing clean files. We won’t disclose any detail on what triggers the vulnerability, for security reasons, obviously.

In order to exploit this vulnerability the attackers packaged the AVM1 code inside an AVM2 based Flash file. The latter is embedded inside the Word document and assigned with setting up the exploitation environment.

Initially the AVM2 code constructs a heap-spray buffer made of a NOP-sled (image below):

Image 1 – NOP-sled

The AVM2 code constructs a Win32 shellcode(constructed in highlighted  ByteArray  “s”):

 
Image 2 – shellcode

It then loads the attack code inside the Flash Player. The AVM1 code that triggers this vulnerability is loaded as a separate SWF file, converted from a hex-encoded embedded string and executed as in the screen dump below:

Image 3 – CVE-2011-0611 attack code

Shellcode details

The shellcode is injected starting at address 0×11111111 and is a fairly standard one.

Its task is to launch the payload while trying to hide the signs of an infection. It does that by dropping a clean Word document which will replace the original, malicious one.

Let’s see, in detail, what the shellcode does once it gets executed:

• Resolves needed APIS’s :
  • LoadLibraryA
  • GetFileSize
  • GetTempPathA
  • TerminateProcess
  • CreateFileA
  • WideCharToMultiByte
  • SetFilePointer
  • ReadFile
  • WriteFile
  • WinExec
  • CloseHandle
  • GetCommandlineA
  • GetModuleFileNameA
  • CreateFileMappingA
  • MapViewOfFile
  • GetLogicalDriveStringsA
  • QueryDosDeviceA
  • ZwQueryVirtualMemory
• Brute-forces its way to the Word document’s file handle by knowing that
  • File size must be > 0×7000
  • It must contain the marker 0×7010 at offset 0×7000
• Retrieves the file path of the Word document file using ZwQueryVirtualMemory and GetLogicalDriveStringsA
• Decrypts a binary from the document, dumps it as %temp%\scvhost.exe (SHA1 adbf24228f0544a90979a9816569e8c7415efbac – detected as Backdoor:Win32/Poison.M) and finally executes it.

Image 4 – Win32 Shellcode fragment

• Decrypts an embedded doc file and saves it as ‘%temp%\AAAA’. This file is the clean Word document we mentioned earlier.
• The freshly dumped doc file is then used to overwrite the initial Word document.
• The new document is launched to hide symptoms of infection.
• Using the utility “taskkill.exe”, it terminates all processes with the name ‘hwp.exe’.

The current WinWord (Microsoft Word) instance is terminated.

We currently detect the malicious Word document and the embedded attack Adobe Flash file as Exploit:SWF/CVE-2011-0611.A. We urge you to read the advisory from Adobe for mitigation details about this vulnerability.As always, we advise you not to open emails from untrusted sources or emails that seem suspicious to you, even if they apparently come from people you know.

Marian Radu, Daniel Radu & Jaime Wong
MMPC

PS: We’d like to thank our colleague Bruce Dang for his contribution to this blog post.

Last month, Adobe had released a security advisory and a product update about a critical flaw affecting Flash Player versions and a vulnerable component, authplay.dll, of Adobe Reader and Acrobat that was exploited in the wild, APSA11-01. The vulnerability that was exploited in the wild in targeted attacks via Flash (.swf) file embedded in a Microsoft Excel (.xls) file delivered as an email attachment (CVE-2011-0609).

Yesterday, Adobe has released another security advisory, APSA11-02, alerting users about the same critical flaw affecting Flash Player versions and a vulnerable component, authplay.dll, of Adobe Reader and Acrobat. This vulnerability is currently being exploited in the wild in targeted attacks via Flash (.swf) file embedded in a Microsoft Word (.doc) file delivered as an email attachment.

The vulnerability (CVE-2011-0611) could cause the affected applications to crash and could be used to run arbitrary code. This means that the malicious files could be downloaded or dropped on the affected system.

Adobe currently is finalizing a schedule for releasing updates for the products affected.

Affected software versions

• Adobe Flash Player 10.2.153.1 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems
• Adobe Flash Player 10.2.154.25 and earlier for Chrome users
• Adobe Flash Player 10.2.156.12 and earlier for Android
• The Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems

NOTE: Adobe Reader 9.x for UNIX, Adobe Reader for Android, and Adobe Reader and Acrobat 8.x are not affected by this issue.

ActnS/CVE-2011-0611!exploit is a detection for SWF files capable of exploiting a vulnerability in Adobe Flash Player 10.2.153.1 and earlier versions for Windows, Macintosh, Linux, Solaris, and Adobe Flash Player 10.2.154.25 and earlier for Chrome users, Adobe Flash Player 10.2.156.12 and earlier for Android.

This 0-day vulnerability was spotted in-the-wild, and an earlier report indicates that maliciously crafted Microsoft Word (176,144 bytes) arrives via an email limited to its target victims.

The embedded malicious SWF contains ActionScript code that is used to fill the heap with NOP sled.

The screenshot in Figure 1 shows the decoded ActionScript, highlighted on the figure shown is the shell code:

                                                                         [Figure 1 - Malicious ActionScript]

                                                                      [Figure 2 - Sample injected Shell Code]

The payload is embedded on the Microsoft Word file.

Inspecting inside the file, you may notice that even though the file seems to contain another executable, you cannot spot the MZ header or PE header. That’s because it encrypts the file using a simple XOR.  The purpose of this routine is to bypass anti-virus engines that scan embedded executable.

                                                               [Figure 3 - Malicious Executable Embedded]

It will then execute the non-malicious file “Disentangling Industrial Policy and Competition Policy.doc” so that users are unaware that their machine has been compromised.

                                                        [Figure 4 - Non Malicious Microsoft Word Document]

Reference:

http://www.adobe.com/support/security/advisories/apsa11-02.html

CA detections related to this attack are W97M/CVE-2011-0611!dropper, ActnS/CVE-2011-0611!exploit, Win32/Smalldoor variant and Win32/Poison variant.

To help protect your machines from being infected, never open any files from untrusted sources. This especially applies while the vulnerability remains unpatched. And of course, always update your CA Security Product signature files!

Today Adobe announced a new 0-day vulnerability (CVE-2011-0611) in Adobe Flash Player and Adobe Acrobat that, similar to the previous 0-day from less than a month ago, was found embedded in a Microsoft Office file. The vulnerability allows an attacker to execute malicious code on a computer and has been spotted in limited targeted attacks. Websense customers are protected against the known samples that use this vulnerability.

Adobe says in their security advisory that Adobe Acrobat Reader X and its new Sandbox feature prevent the attack from exploiting the system when using PDF files. However, since the vulnerability exists in Flash, a machine can be exploited in other formats and applications that support flash, such as Web pages and Office documents.

The vulnerability has only been seen used in very limited targeted attacks. Here is a VirusTotal report (1/43) of one reported attack file.

Adobe hasn't announced when they will release a patched version of Adobe Flash and Adobe Reader/Acrobat but they did say that they won't fix this until June 14 in Adobe Reader X, as the Sandbox feature prevents the attack.

Adobe released a security advisory in which it warns from a zero-day vulnerability within current version of Adobe Flash Player, Reader and Acrobat. Affected are Flash Player 10.2.153.1 and earlier versions for Windows, Mac, Linux and Solaris, the current version integrated in the Chrome web browser, and 10.2.156.12 and earlier versions for Android. The authplay.dll component of current and older version of Adobe Acrobat and Reader are also affected; according to Adobe, the sandbox of Acrobat Reader X prevents from execution of malicious payloads though.

The vulnerability allows attackers to inject malicious code with manipulated documents. Currently targeted attacks are reported by Adobe which use a Word document with a specially prepared Flash Player file (.swf) embedded to infect victims.

The company currently is finalizing a schedule for updated software versions. Until those updates are available, users should take care of which documents they open. Suspicious are documents which are sent without expecting them.

Dirk Knop
Technical Editor

MX Lab reported earlier on regarding a malicious spam campaign regarding an offer to download and buy PDF Reader/Writer for Windows and Mac in the articles Malicious spam campaign regarding Adobe Acrobat 2010 PDF Reader and VOIP Addons for Skype and Emails offering PDF Reader 2010 lead to unsecure payment site.

MX Lab noticed a new version that will offer the latest PDF Reader. The emails have the subject “Download Adobe Reader 10 Alternative”  with the email address dailynews_dec09@m120.redmediaone.com.

This is the body of the email:

Following the link to the web site will lead us here:

When clicking on the download button we have the following screen that looks very familiar:

Okay, let’s go throught the registration process:

The registration transactions are performed on the domain secure-signupway.com. This domain is know for fraudulent payment processing so your credit card details will end up in the wrong hands.

Now, this is also interesting. The domain from where the message is sent, redmediaone.com, has protected registrant details in the WHOIS.

Registrant:
   redmediaone.com
   c/o Whois Privacy Service
   PO BOX 501610
   San Diego, CA 92150-1610
   US

   Domain Name: REDMEDIAONE.COM

   Administrative Contact, Technical Contact, Zone Contact:
      redmediaone.com
      c/o Whois Privacy Service
      PO BOX 501610
      San Diego, CA 92150-1610
      US
      (619) 393-2111
      whois@emailaddressprotection.com

   Domain created on 18-May-2010
   Domain expires on 17-May-2012
   Last updated on 25-Mar-2011

   Domain servers in listed order:

      NS1.DOMAINDISCOVER.COM
      NS2.DOMAINDISCOVER.COM

In the message is the download URL and an unsubscribe URL present that is handled by http://list.onemediaclick.com/. And also iin this case, the registrant details are protected.

Domain Name: ONEMEDIACLICK.COM
Registrar: MONIKER

Registrant [3559862]:
        Moniker Privacy Services ONEMEDIACLICK.COM@domainservice.com
        Moniker Privacy Services
        20 SW 27th Ave.
        Suite 201
        Pompano Beach
        FL
        33069
        US

Administrative Contact [3559862]:
        Moniker Privacy Services ONEMEDIACLICK.COM@domainservice.com
        Moniker Privacy Services
        20 SW 27th Ave.
        Suite 201
        Pompano Beach
        FL
        33069
        US
        Phone: +1.9549848445
        Fax:   +1.9549699155

Billing Contact [3559862]:
        Moniker Privacy Services ONEMEDIACLICK.COM@domainservice.com
        Moniker Privacy Services
        20 SW 27th Ave.
        Suite 201
        Pompano Beach
        FL
        33069
        US
        Phone: +1.9549848445
        Fax:   +1.9549699155

Technical Contact [3559862]:
        Moniker Privacy Services ONEMEDIACLICK.COM@domainservice.com
        Moniker Privacy Services
        20 SW 27th Ave.
        Suite 201
        Pompano Beach
        FL
        33069
        US
        Phone: +1.9549848445
        Fax:   +1.9549699155

Domain servers in listed order:

        NS1.DOMAINSERVICE.COM         208.73.210.41
        NS2.DOMAINSERVICE.COM         208.73.211.42
        NS3.DOMAINSERVICE.COM
        NS4.DOMAINSERVICE.COM

        Record created on:        2011-02-14 12:05:30.0
        Database last updated on: 2011-02-14 12:05:32.93
        Domain Expires on:        2012-02-14 12:05:31.0

The web site of  Onemediaclick:

These guys are, according to the address on the site, located in Switzerland. When trying to contact them through the web form, nothing happens. The <form> tags are not included in the web form when looking at the source. Seems to me that this whole business can not be trusted.

On March 14, Adobe released a security advisory (APSA11-01) warning of 0-day attacks affecting Adobe Flash Player (versions earlier than and including 10.2.152.33). These attacks were hidden inside Microsoft Excel documents that were used as a vehicle to deliver the exploit.

The Adobe Flash file embedded inside the Excel file is another carrier for the exploit. It loads shellcode inside memory, performs heap-spraying, and loads a Flash byte stream from memory to exploit the 0-day vulnerability, which is tracked as CVE-2011-0609.

We spent some time analyzing this new 0-day vulnerability. As with previous Flash Player vulnerabilities, this one abuses the bytecode verifier inside Adobe Flash Player. Adobe Flash files can contain ActionScript bytecode for AVM (ActionScript Virtual Machine). For this vulnerability, we’re talking specifically about ActionScript3 and AVM version 2. Ideally, the bytecode should be verified on a per-method basis, before and during the method’s execution inside the just-in-time virtual machine. But in some cases, the verification logic fails. 

In the case of this vulnerability, the verifier failed to recognize a stack inconsistency after a series of operations and control flows. AVM security seems to be mainly dependent on the bytecode verifier and if it fails, the bytecode execution can be abused by the attackers.

We suspect this vulnerability was found using fuzzing technology from clean Flash files, because we found a file on the Internet that looks like it might have been used for the fuzzing. Through differential analysis between the original clean file and the exploit file, we could confirm the vulnerability. 

We found that some of the old Flash Player versions were immune to these specific attack files, but, as the Adobe security advisory implies, it doesn’t necessarily mean that old players don’t have the vulnerability.

Details of the exploitation process.

To reliably exploit the vulnerability, heap-spraying is performed through AVM2. NOP-sleds are sprayed onto memory (image below) along with a Win32 shellcode. 

Figure 1: Heap-spraying technique is used.

After the heap-spraying process, the actual attack code is loaded inside the Flash Player. The SWF file that triggers the vulnerability is converted from a hex-encoded embedded string object and executed as shown in the screen dump below:

Figure 2: A second flash file is loaded into memory.

The loaded SWF file contains a specially-crafted method that will cause the access of theoretically uninitialized memory. We say theoretically because in practice the said memory was initialized by the heap spray code, which enables the attacker to gain control of the execution.

We advise you that, for the time being, you don’t click any suspicious Excel files or hyperlinks. We’ve only seen this attack delivered through Excel files, but there is no reason why this attack cannot also be achieved through bare Flash files. The good news is that our protection products, like Microsoft Security Essentials, detect these files already with multiple signatures:

• 3a3b6d656e3c36e868097dabb4beedafba554eab, the “carrier” Excel file, is detected as Trojan:Win32/Malfws.A 
• 28311cdf8a6ef46b799152d529e3a8d3cf4d1560, another “carrier” Excel file, is detected as Trojan:Win32/Malfws.B 
• fc83b9d55e3e8bdaeb93ac1b75d2617df668c947, the Flash file embedded in the Excel file, is detected as Exploit:Win32/ShellCode.H and/or Exploit:Win32/ShellCode.G 
• 7ec815f076bd6820e2d47a865a3372a74aee5cf0, the Flash file that exploits the vulnerability, is detected as Exploit:SWF/CVE-2011-0609 
• aafe62d6996551891c3ff8e84443d53d605a251c, the main payload, is detected as Backdoor:Win32/Poison.M

Another way to protect Adobe Flash Player from this issue is to use the Enhanced Mitigation Experience Toolkit (EMET). The Microsoft Security Research and Defense blog released a good post today that talks about EMET and other defenses. 

Jeong Wook Oh & Marian Radu

We got hold of an exploit targeting the vulnerability Adobe reported in its most recent security advisory.

The exploit, detected as TROJ_ADOBFP.B (now detected as TROJ_ADOBFP.SM), takes advantage of the referenced vulnerability to drop another malicious file detected as TROJ_DROPPER.ADO.

TROJ_ADOBFP.B arrives in users’ systems as a malicious .SWF file that has been embedded into an .XLS file. This .SWF file contains the code for the exploit. TROJ_DROPPER.ADO, on the other hand, drops another malicious file detected as BKDR_COSMU.KO. BKDR_COSMU.KO connects to a URL to execute certain commands. It also retrieves information from the affected system such as drive information, OS, file or directory list, as well as a list of existing processes and services.

The vulnerability related to this threat affects the following software and their corresponding versions:

• Adobe Flash Player 10.2.152.33 for Windows, Macintosh, Linux, and Solaris OSs
• Adobe Flash Player 10.1.106.16 and earlier versions for Android
• Adobe Reader and Acrobat X (10.0.1) for Windows and Macintosh OSs (specifically the Authplay.dll component)

Adobe posted a schedule for the release of security updates that will address this vulnerability. All affected versions, except Adobe Reader X, will be patched on March 21. The update for Adobe Reader X will be released on June 14. Until the updates are released, users are advised to be extra careful, especially when dealing with .XLS files coming from unknown users.

Post from: TrendLabs | Malware Blog – by Trend Micro

Excel File Containing Adobe Zero-Day Exploit Found

This is something new: Google managed to release a new Chrome version 10.0.648.134 for Windows, Mac and Linux. It only includes a new version of the Flash Player where the recently found zero day vulnerability is already fixed. This is some days ahead of the official Adobe release, which is planned for next week.

Thus it is a good idea to at least temporarily switch to the Google Chrome webbrowser for safer surfing on the Internet! Users of Chrome can check whether the most recent version is installed already by clicking on the tool symbol and clicking on the  “About Chrome” entry.

Dirk Knop
Technical Editor

A vulnerability within the current versions of Adobe Flash Player on all supported platforms has been found, warns the company. Affected are not only the Flash Player installations, but also Adobe Reader and Acrobat via the “authplay.dll” Flash Player integration. Currently there is no mitigation which will help against the exploitation – so only opening expected documents from trusted sources for the time being is a good advice.

Adobe explains that they found an Excel sheet with malicious SWF content exploiting the vulnerability as an email attachment in a very limited, targeted attack. The reason for this is simple – one wouldn’t expect such malicious content in an Excel sheet; not opening unrequested documents thus is a way to mitigate the risk. Adobe plans to ready an update until next week aorund the 21st of March and will ship it immediately then. For Adobe Reader X the patch will take a little longer as the integrated sandbox prevents a successful exploit.

Avira products detect the exploit as EXP/CVE-2011-0609.

Dirk Knop
Technical Editor

A question from a security mailing list: “Is this some sort of phish”?

———- Forwarded message ———-
From: Adobe Incorporated
Date: 1 March 2011 01:33
Subject: Adobe Acrobat Reader latest version released ! Upgrade Available Now
To: —-

Copyright © 2011 Adobe Systems Incorporated. All rights reserved.

While this isn’t a phish in the sense that they aren’t asking for login details, they are trying to get some money by making it look like you need to pay to download Adobe Acrobat Reader (you don’t). This kind of thing has been around for a while, and is also popular where Skype is concerned too.

Steer clear.

Christopher Boyd

Just to add to the list of patches released: (thanks Frank, Ric, Jack):

APSB11-01Security update available for Shockwave Player
APSB11-02Security update available for Adobe Flash Player
APSB11-03Security updates available for Adobe Reader and Acrobat
APSB11-04Security update: Hotfix available for ColdFusion

Make sure you update these products as well please.
Mark

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Adobe has issued patches to fix a number of vulnerabilities in:

– Adobe Reader X (10.0) for Windows and Macintosh;
– Adobe Reader 9.4.1 (and earlier) for Windows, Macintosh and UNIX
– Adobe Acrobat X (10.0) and earlier versions for Windows and Macintosh.

The vulnerabilities could crash the applications and enable an intruder to take control of the system. Adobe Reader X are protected from some vulnerabilities by Protected Mode mitigations.

Updates available:

– Adobe Reader X (Windows and Macintosh) update to version 10.0.1),
– Adobe Reader 9.4.1 (UNIX) update to Adobe Reader 9.4.2 (available February 28)
– Adobe Reader 8.2.6

Tom Kelchner

As expected, today Microsoft and Adobe published updates for Windows, Internet Explorer, Windows FTP service, Visio, Flash Player, Shockwave Player, Reader, Acrobat and ColdFusion.

Microsoft published 3 critical and 9 important fixes today. The first noteworthy fix is MS11-003 (CVE-2010-3971), a recursive CSS vulnerability, discovered last December in Internet Explorer, that could allow remote code execution (RCE). Considering the vulnerability has been included in the MetaSploit Framework for well over a month and we haven’t seen it active in the wild, SophosLabs has rated it medium.

The second critical fix was for MS11-006, (CVE-2010-3970) a flaw in the graphics rendering engine that could allow RCE when thumbnails of files are viewed in Explorer. While we haven’t seen this successfully exploited in the wild yet, there have been reports that some malware authors have made unsuccessful stabs at it. SophosLabs has provided protection against exploitation as MAL/CVE3970-A and rates this flaw as medium.

The last critical patch is MS11-007 (CVE-2011-0033), which closes a hole that could allow an attacker to create a malicious font and lure a user to view a website using that font to compromise their machine. This bug was privately disclosed, but may be interesting to enterprising criminals. SophosLabs has not seen anyone using this as a method of exploitation, so they have decided to rate it medium as well.

Adobe bulletin APSB11-01 resolves 21 vulnerabilities in Shockwave Player. Adobe has rated this patch as critical and more worryingly all 21 vulnerabilities can lead to code execution. I’ve mentioned this before, but I feel the need to again… Do you really need Shockwave Player on your PC? If not, it’s best to reduce the attack surface of your machines by removing it. If you do require it, you can download the latest version at http://get.adobe.com/shockwave.

Adobe bulletin APSB11-02 fixes 13 vulnerabilities in Flash Player, all of which can lead to code execution. Adobe has rated this patch as critical. Because Flash Player is so widely used and distributed, we recommend updating your Flash Player installations as soon as possible. The latest Flash Player can be downloaded from http://get.adobe.com/flashplayer. Users of Google Chrome should have already received an update patching these vulnerabilities.

Adobe bulletin APSB11-03 addresses 29 vulnerabilities in Adobe’s Reader and Acrobat products. This includes fixes for 23 code execution, 1 elevation of privilege, 3 denial of service and 2 cross-site scripting flaws. Adobe has rated this patch as critical. Similar to Flash, the ubiquity of Adobe’s Reader software requires that you update as soon as possible. Fortunately Adobe Reader includes an auto-update function now. Those of you who need to download it for distribution can get it from http://get.adobe.com/reader.

The last bulletin, APSB11-04, affects Adobe ColdFusion and Adobe has rated it as important. It covers five flaws, two of which are related to cross-site scripting. ColdFusion users can find instructions for applying this hotfix in this technical note.

As always, for SophosLabs analysis of all important vulnerabilities visit our latest vulnerabilities page. Microsoft’s advice on the February 2011 patches can be found on their blog. The Adobe security bulletins can be found on their security page.

Creative Commons image of a Band-Aid courtesy of kevindean’s Flickr photostream. Creative Commons image of Bad Fonts courtesy of twcollins Flickr photostream. Creative Commons image of Adobe product montage courtesy of pcsiteuk’s Flickr photostream.

Adobe released updates for Reader for 9.4.2 and 10.0.1. While this page on Adobe’s site doesn’t actually list them correctly, if you drill down into the actual product and OS, you’ll see the updates listed for 2/8/2011.
Happy Patching.
– Joel Esler | http://blog.snort.org | http://blog.joelesler.net

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Adobe’s Reader X, last year’s upgrade that features a “sandbox” designed to protect users from PDF exploits, stymied a recent attack campaign, researchers said.

Full story: Network World on Security

Microsoft

Microsoft has posted advance notification of what we can expect on February Patch Tuesday next week:

There will be 12 security bulletins. Three are considered critical and nine important. They will cover updates and fixes in Windows, Internet Explorer and Microsoft Office.

Adobe

Adobe has posted a security advisory saying it will fix critical vulnerabilities on Tuesday with updates for:
– Adobe Reader X (10.0) (Windows and Macintosh),
– Adobe Reader 9.4.1 and earlier (Windows, Macintosh and UNIX),
– Adobe Acrobat X (10.0) (Windows and Macintosh), and
– Adobe Acrobat 9.4.1 and earlier (Windows and Macintosh).

A update for  UNIX versions will be available by the week of February 28, Adobe said.

Tom Kelchner

Full story: GFI Labs blog

Next Tuesday, on their regularly-scheduled quarterly Acrobat Patch Tuesday, Adobe will release security updates for all Windows and Mac Acrobat and Reader versions. Updates for the UNIX version are expected by the week of February 28, 2011.

Adobe committed about a year ago to a regular update cycle like Microsoft’s. It’s not often that they have been able to keep to it, as many of their updates have been urgent enough for them to go “out of band.”

Full story: Security Watch