Computer Security Articles

A new malicious spam campaign underlines the security benefits of upgrading to the latest version of Adobe Reader – Adobe Reader X.

SophosLabs are currently seeing reports of a low-level attack, spamming out malicious PDF attachments. Sophos products detect the attack as Mal/PDFEx-J.

The dangerous attached files use filenames of the form DD-MM-YYYY-NN.pdf (in other words, a date with a two digit number attached).

The emails typically look like this:

Hello, [recipient email]

It was scanned and sent to you using Xerox WorkCentre Pro.
Please open the attached document.

Sent by: Guest
Number of Images: 1 Attachment
File Type: PDF.
WorkCentre Pro Location: Machine location not set

I took a look at one sample of this family of malware (sha1:ef175336502a0216b4d0830944bc36e8155e0475) in order to see what would happen if I opened it with different versions of Adobe Reader.

When opened by Adobe Reader 8, the PDF displayed nothing, but does attempts to download and run malicious code from a Colombian TLD.

However, when I opened the same file with Adobe Reader X no attack occurs and an error message is displayed:

Other variants (also detected as Troj/PDFJs-QB) link download and run a fake anti-virus attack that Sophos intercepts as Mal/FakeAV-EA.

The malicious code is stored within the Producer tag :

and accessed via the this.producer

var qweval=5;
for(var i in this) {
	if (i.indexOf('qwe') != -1) {
		jbka=this[i.replace('qw','')];
	}
}
jbka('cck=this.producer');
xswi=jbka(cck.substr(0,19));
...

Hiding code within other parts of PDF files isn’t a new trick and if you want to find out more about PDF threats then look at my earlier article: “PDF security under the microscope: A review of OMG-WTF-PDF”.

It appears that an update introduced in Adobe Reader X has broken a fundamental part of this threat. Well done Adobe!

For this reason, I would urge users and system administrators responsible for protecting firms to consider updating to Adobe Reader X as soon as possible.

Last year, my colleague Chet Wisniewski interviewed Adobe security chief Brad Arkin about all matters Adobe, including the then-upcoming Reader X. Take a listen below if you want to hear more about how Adobe is tackling security issues with its products.

(23 August 2010, duration 24:36 minutes, size 11.3MBytes)

You can also download this podcast directly in MP3 format: Chet Wisniewski interviews Adobe’s Brad Arkin. All of our past podcasts are available from http://podcasts.sophos.com and on iTunes.

Full story: Naked Security – Sophos

I recently upgraded my copy of Adobe Reader to Adobe Reader X, the new version that sandboxes the PDF reader. I immediately had problems with PDFs that I tried to open from the internet. I uninstalled Reader X and reinstalled to no avail. I suspected that there might be an issue between Sandboxie and Reader … Read More.

Full story: ESET ThreatBlog

I didn’t expect a part 5, but here it is! Adobe has announced that they will be making some significant changes to Flash. In a blog post http://blogs.adobe.com/flashplatform/2011/01/on-improving-privacy-managing-local-storage-in-flash-player.html Adobe’s marketing machine really pours it on thick, but there appears to be some good news.
In the blog it is stat4ed that a future release of Flash … Read More.

Full story: ESET ThreatBlog

Flash cookies: the bane of Internet users’ experience ever since it became public that companies were using them to track users—completely separate from normal browser cookies. It’s not easy for regular users to go digging around to delete Flash cookie data, but that may change soon thanks to Adobe.

The company has been working with developers from Microsoft and Google to implement a new browser API that will make it easier for browser users to get rid of the local shared objects (LSOs, also known as Flash cookies) used by the Flash Player. In fact, the new API (NPAPI ClearSiteData, for the curious) has already been approved for implementation, and is expected to appear in Firefox sometime in the near future.

Read the comments on this post

Full story: Security

Another site selling “memberships” for something that’s free

Here’s the latest twist in the “membership” site scam: spam emails that tell potential victims to update their Adobe Reader include links to a web site intended to look like something related to Adobe products, but is selling “memberships.”

The REAL way to update your Adobe software is on the help menu: help | check for updates (see the end of this blog piece for details).

The spam email:

(click graphic to enlarge)

Notice that the graphic on the web page says “PDF Reader/Writer” and doesn’t mention Adobe, as the email (and the URL it contained) did:

(click graphic to enlarge)

The default selections on the “choose your  plan” page includes

– three years of “unlimited VIP access and support” ($ 12.97)
– one year of “full protection against intrusion with ETD scanner” ($ 1.49 per month – payable up front, so that’s $ 17.88)
– “award-winning download accelerator” for $ 9.95.

That’s a total of $ 40.80.

(click graphic to enlarge)

A web search for “ETD scanner” is interesting too. Its home page says it has been parked by GoDaddy.

In material that comes with it, it’s described as: “… an anti-spyware/malware/trojan, privacy protector, system performance enhancer and popup blocker software all-in-one!” In its “system requirements” the latest version of Windows listed is 2003.

The scanner is for sale on a site called “BrotherSoft”  for $ 29.95 although only 135 people have purchased it in a year and a half.

A 60-day trial version that we downloaded installed successfully and wasn’t detected as malicious code by VIPRE or other AV sources, but didn’t download any signature updates, so, apparently the only detections it was capable of were those from 2004 (if it’s functional at all.)

 

How to REALLY update Adobe products (IT’S FREE!)

Now back in the REAL world, if you want to update one of your Adobe products, you open it, then select the help menu, then “check for updates.” They’re free.

 (click graphic to enlarge)

Thanks Adam.

Tom Kelchner

– on Sunbelt Blog

There’s been a lot of news related to software sandboxing in the last week, but one event in particular: Google has moved version 8 of Chrome (specifically 8.0.552.21) into the “Stable” channel, making it the release-level version.

Version 8 adds a PDF reader built into the browser and moves the already integrated Adobe Flash Player into the Chrome sandbox. Thus two of the biggest attack targets for Windows users become substantially neutered.

At the same time Google announced 12 vulnerabilities fixed in the new version and, as usual, the importance of the severity ratings is being ignored in most reports. 4 of the vulnerabilities are rated “High,” less than the maximum of “Critical,” largely because High vulnerabilities don’t get out of the sandbox. As you can see from Google’s severity guidelines, High vulnerabilities can be quite serious, such as cross-site scripting bugs, but all four of these High bugs appear to be memory management bugs which won’t allow any abuse out of the sandbox, and therefore won’t allow anything all that serious to happen to the PC.

I’ve been using the PDF reader in the Beta channel for some time and functionally it’s basic. What it does is to read the PDF and render it in the browser DOM, not in a control, so all the rendering is within the security of the browser engine. But browser rendering and UI are not as powerful or flexible as a native program like Adobe Reader, so you do run into things that don’t work, or don’t work as well as in Reader. Still, most of the time all you’re doing is reading the document and that usually works fine. If you need to do more, you can download the file and use another reader.

Google and Adobe each released their own blog entries announcing the incorporation of the integrated Flash player into the sandbox. In fact, Flash is already substantially sandboxed in many environments, such as on Windows Vista and Windows 7 where it runs as a low integrity process, but only in Chrome is it sandboxed in Windows XP. And since Chrome’s Flash Player is updated automatically, fixes to any vulnerabilities in Flash are easiest to get there too. These are major reasons why Chrome is my default browser now.

But there are limits to sandboxes. Thanks to Ryan Naraine on ZDNet for pointing me to analysis done by security software firm Invincea describing the limitations in the Adobe Reader X sandbox. Invincea calls sandboxing such as Reader’s “a step in the right direction.”

Even Adobe’s engineers (and Microsoft’s and Google’s, as they all use the same basic sandbox architecture) concede certain limitations:

• Protected Mode will not prevent unauthorized read access to the file system or registry.
• Protected Mode will not restrict network access.
• Protected Mode will not prevent reading or writing to the clip board.

So a “successful” exploit in the sandbox could, for example, read files or registry data to which the user in whose context the program ran has access and send them over the network. Invincea proposes protections against these and other attacks and, no surprise, their own products claim to provide them.

– on Security Watch

Don’t just read the latest computer security news – watch it in just 90 seconds!

This month: Apple has all sorts of fun; Facebook decides its users are “inauthentic”; Adobe gets a sandbox to play in; and Firesheep puts you on notice.

Watch and enjoy:

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

Or listen to the podcast:

02 December 2010, duration 2:05 minutes, size 2.0MBytes

A website labelled ‘Porn TV’ acts as a malware distribution platform: freev.info When clicking on any video link, a very convincing screen pops up: Downloading the update actually downloads a malware file (Adobe_FlashPlayer_Update_nov.2010.exe) from: freev.info/go/getflashplayer/ There currently is very low detection amongst AV vendors (8/43 on VirusTotal). The malicious server hosting that file is located in [...] – on Malware Diaries

The attack scenario is based on spam mail mentioning an app for iPad and iPhone. – WebMaster (news@malwarecity.com) on MalwareCity Blog

Last week Adobe released the next generation of Adobe Acrobat and new versions of Reader to go along with them, Adobe Reader X, specifically the Windows version, raises the bar for attackers who would use software vulnerabilities in PDF files to take control of the system.

As we have extensively discussed before, Reader X for Windows implements a sandbox architecture similar to that used in Google Chrome and Microsoft’s Office 2010. Google calls the sandbox “Protected Mode.”

Code running in Protected Mode has very limited privileges, and therefore exploits of vulnerabilities in Reader will also have very limited privileges. For instance, it won’t be able to write to the file system or modify the registry. This will severely impede its ability to install malware.

Adobe has written a series of blogs on how Protected Mode works. The latest entry, written by an outside consultant involved in the development of Protected Mode, an effort he says:

…may well be the most ambitious attempt to sandbox a Windows application to date: Millions of lines of existing code, a third-party development platform, every multimedia technology under the sun, all now running in an entirely new execution environment. It is hard to overstate the challenge of doing so and the accomplishment of getting there.

Clearly it’s hard to write these sandboxes. There are only a few of them and they all come from large, well-funded software companies. You can’t hack one of these yourself nights and weekends.

As PDF hacker extraordinaire Didier Stevens points out, the sandbox works best on Vista and Windows 7, less well on Windows XP. The newer versions of Windows utilize Windows integrity levels to run Reader X at low integrity and prevent malicious interaction with processes at higher levels. (Similar sandboxes have had vulnerabilities which allow code injection from processes at the same integrity level.)

So cross your fingers. We may have entered a new era of security for Windows users. Either that or exploit writers will just continue to move from PDF to Java.

– on Security Watch

We received several reports of spam email messages that advertise a new version of Adobe Acrobat, attempting to entice the recipient into clicking a link to a suspicious website. (Thanks, Steve and Bill.)
Since Adobe announced a new version of Adobe Reader a few days ago, we expect to see an increase in spam proclaiming security advantages of the new version and encouraging people to upgrade. It’s likely that the new messages will even highlight the improved security of the new version (Adobe Reader X) as an element of social engineering.
At the moment, Adobe Acrobat/Reader spam is not yet using the Reader X designation, but talks about Adobe Acrobat 2010:

Subject:Download Your New Adobe PDF Reader For Windows And Mac

INTRODUCING UPGRADED ADOBE ACROBAT 2010

Dear Customers,

Adobe is pleased to announce new version upgrades for Adobe Acrobat 2010.

hxxp://www.adobe -acrobat-solutions.com

Advanced features include:

…
Variations of these messages have been around for a few months, as Adobe confirmed on September 13. The spam that we’ve seen have used mostly the same text in the body of the email message, but changed email Subject lines and destination URLs:

September:

Subject: Upgrade New Adobe Acrobat 2010 PDF Reader Alternative,hxxp://www.pdf -adobe-download.com

October:

Subject: Adobe Upgrade Notification,hxxp://www.adobe -upgrades.com

Subject:Action Required : Download Your New Adobe Acrobat Reader,hxxp://www.adobe -acrobat-new-download.com

Subject: New Adobe Acrobat PDF Reader Alternative,hxxp://www.official -adobe-software.com

November:

Subject: Action Required : Active Your New Adobe PDF Reader, hxxp://http://www.adobe -pro-software.com

Subject: Action Required : Upgrade Your New Adobe PDF Reader, hxxp://www.adobe -pro-upgrade.com

Subject:Download Your New Adobe PDF Reader For Windows And Mac,hxxp://www.adobe -acrobat-solutions.com
Note that suspicious domains used as part of this campaign tend to include adobe as part of its name, along with incorporating hyphens.
The domains that are still active were registered with Regional Network Information Center, JSC dba RU-CENTERand specifiedns3.nic.ru,ns4.nic.ru, andns8.nic.ru as their DNS servers. Contact details for the domain sometimes specified PDF Reader Solutions as the registrant, and were probably fake.
The sites advertised as part of the spam campaign attempt to convince the person to provide his or her credit number to obtain PDF reader/writer software using a form that’s hosted on secureonline.ru. We haven’t checked whether the software is actually malicious, but we’re doubtful of its intentions.
Here’s what the landing pages linked from spam messages looked like:

Here’s what the subsequent pages, which requested user data, looked like:

Consider letting users in your organization know about these Adobe spam activities, so that they don’t attempt to download and install software coming from an untrusted source.
– Lenny Zeltser
Lenny Zeltser leads a security consulting team and teaches how toanalyzeandcombat malware. He is activeon Twitterand recently launched asecurity blog.

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License. – on SANS Internet Storm Center, InfoCON: green

If one software vendor has taken a lot of heat in the past couple years it’s got to be Adobe. It almost became a common thing to hear of yet another 0 day in Reader or Flash… Truth is, when looking at web threats, Adobe is not the only one to blame. Almost every popular [...] – on Malware Diaries

PC World – Adobe Reader X is here. Adobe announced earlier this year that it was working on a more secure version of its ubiquitous PDF reading software, Adobe Reader. The new version includes Protected Mode, a sandboxing security control designed to prevent malware exploits against the application. – on Yahoo! News: Security News

Adobe has just released Adobe Reader and Acrobat in Version 9.4.1. This release fixes 20 bugs of which 17 are rated critical security vulnerabilities by the company. This means that attackers can abuse them to smuggle malware like Trojans on victims computers – just by opening infected PDF documents, for example.

The updates for Windows and Mac OS X can be downloaded on Adobes website, the update for Unix versions of Reader is announced for the 30th of November. Users and administrators should install the new versions as soon as possible.

Dirk Knop
Technical Editor

Source: Avira – TechBlog

In case you’ve not read Adobe’s announcement: Adobe Reader X is out. Use Adobe’s FTP server if you want to avoid their download manager.

Protected Mode Adobe Reader comes with a sandbox (like Internet Explorer, Microsoft Office 2010, Google Chrome) designed to prevent malware from writing to important system components.

If you’re interested in the design details of the sandbox, I recommend Kyle Randolph’s excellent series of posts.

To benefit the most of Adobe Reader’s sandbox, you need to use a Windows version that supports integrity levels (Windows Vista or later). Windows XP will not offer you this protection.

And don’t become complacent about patching your sandboxed applications. Because if there exists a vulnerability that allows one to escape from a sandboxed application, say in IE7, then one can use this vulnerability to escape from other sandboxes, like Adobe Reader X, based on the same low integrity level design.

Quickpost info

Source: Didier Stevens

Adobe today released Reader X, the next version of its popular software that includes a “sandbox” designed to protect users from PDF attacks.

Source: Network World on Security

With the release of Adobe Acrobat and Reader X (pronounced “ten” if you’re curious), Adobe is also releasing security updates for earlier versions of those products.

As detailed in Security Bulletin APSB10-28, version 9.4.1 of Reader and Acrobat incorporate recent updates to Flash and 2 Acrobat issues which had been revealed in the past few weeks (here and here).

Version 9.4.1 of Acrobat is now available for Windows and Mac, and of Reader for Windows, Mac and UNIX. These issues do not affect Adobe Reader for Android.

Adobe also issued a warning that the release of Acrobat and Reader X is likely to inspire Internet-based scams involving fake updates, phishing and the like. It’s worth being alert to such things and to make sure to obtain software only through a reliable channel.

Adobe hasn’t had the opportunity much to follow their own schedule, but the next scheduled update for Reader and Acrobat will be February 8, 2011.

Source: Security Watch

Adobe has issued a prenotification security advisory to say that next Tuesday, November 16, they will release security updates for Adobe Reader and Acrobat 9.x.

On that day they will release updates for Reader 9.4 and earlier 9.x versions for Windows, Mac and UNIX. They will also release updates for Acrobat 9.4 and earlier 9.x versions for Windows and Mac. The UNIX updates for Acrobat is expected on Monday, November 30. No mention is made of any updates for 8.x versions of Acrobat or Reader.

The prenotification specifically says that the updates will include the CVE-2010-3654 issue in Flash, which has been observed in the wild, but it will likely include all the other Flash issues fixed by Adobe in Flash itself last week.

Source: Security Watch

A new, potentially critical vulnerability in Adobe Acrobat Reader has come to our attention at Websense Security Labs. Quick analysis shows that malicious PDF documents invoke a function call to Doc.printSeps() to take advantage of the vulnerability. Proof of concept code plants shell code in memory using heap spraying to exploit the vulnerability.

Websense Security Labs is monitoring the situation, and we will update this blog post as we discover more. It is possible that malicious hackers could set up rigged Web sites or insert malicious code into legitimate, compromised sites to infect visitors. The vulnerability could be used for remote code execution, but we are still investigating these claims. Websense customers are protected by our ACE real-time analytics.

Adobe has published advice on how to avoid this vulnerability by blacklisting the vulnerable function call. The issue was unknown to Adobe PSIRT Team when Websense Security Labs informed them about it. Respecting their wish, we only disclosed the issue after their announcement. In the meantime, VUPEN also disclosed the issue.

In our test, Adobe Acrobat Reader crashed when the proof of concept document was loaded.

We will update this blog post with any interesting developments.

View full post on Security Labs

Yesterday was sort of a busy day for Adobe security. Of course, that doesn’t seem like such an uncommon occurrence these days. Adobe issued an update to address a security flaw in Flash, and followed up with a new security advisory about a vulnerability impacting Adobe Reader.

View full post on Network World on Security

I just pushed out code coverage for the Adobe XML External Entity Injection vulnerability in multiple adobe products including: BlazeDS 3.2 and earlier versions, LiveCycle 9.0, 8.2.1, and
8.0.1, LiveCycle Data Services 3.0, 2.6.1, and 2.5.1, Flex Data
Services 2.0.1, ColdFusion 9.0, 8.0.1, 8.0, and 7.0.2

References Here:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-3960
http://www.osvdb.org/62292
http://www.securityfocus.com/bid/38197
http://www.security-assessment.com/files/advisories/2010-02-22_Multiple_…
http://www.adobe.com/support/security/bulletins/apsb10-05.html

I recommend you read security-asessment’s pdf on it, its good.

Anyway, its a cool bug.

Adobe Releases Flash Updates For 0-Day Bugs [Updated]

Posted on 06 November 2010. Tags: 0day, Adobe, Bugs, flash, Releases, updated, Updates

Adobe has released updates to Flash Player on Windows, Macintosh, Linux, Solaris and Android to address a large number of vulnerabilities. The new version for Windows, Macintosh, Linux, and Solaris is 10.1.102.64. The new Android version is not yet available, but is expected by November 9.

[Correction: This entry originally gave an incorrect version number for the new version. We apologize for the error.]

The security bulletin announcing the updates describes 18 of them. One of them, CVE-2010-3654, announced a week ago, has been reported to be used in the wild in attacks against Adobe Reader and Acrobat. A fix for those products is expected the week of 11/15.

View full post on Security Watch

Posted in SecurityComments Off

Zero-day Flash bugs squashed by Adobe

Posted on 06 November 2010. Tags: Adobe, Bugs, flash, squashed, ZeroDay

Adobe has issued a security update for its widely-used Flash software, protecting against a number of critical security vulnerabilities that could be exploited by malicious hackers.

In a security bulletin published on its website, Adobe recommends that users of Adobe Flash Player 10.1.85.3 and earlier versions for Windows, Macintosh, Linux, and Solaris update to Adobe Flash Player 10.1.102.64.

In addition, the firm says that they expect to make available an update for Flash Player 10.x for the Android mobile operating system by November 9, 2010.

One of the vulnerabilities fixed by the updated version of Flash is CVE-2010-3654. Last week the firm warned that that exploit was being used by malicious hackers to target users of Flash, Acrobat and Adobe Reader. A fix for Reader and Acrobat is scheduled for the week of November 15.

If you’re not sure which version of the Adobe Flash Player you have installed, visit the About Flash Player page. But remember that if you use more than one browser on your computer you should check the version number on each.

By the way, take a little care when installing a new version of Flash. You may want to think carefully about whether you also want to install McAfee Security Scan Plus.

Adobe rather cheekily (in my humble opinion) defaults to having that box selected by default even though it’s not necessary if all you want to do is update Flash.

It would obviously be a good idea for everyone to update vulnerable computers as soon as possible.

View full post on Naked Security

Posted in AntivirusComments (10)

New Bug in Adobe Reader Under Investigation

Posted on 06 November 2010. Tags: Adobe, investigation, reader, Under

An anonymous post yesterday on the Full-Disclosure mailing list included a proof-of-concept PDF file which demonstrated a crash bug in Adobe Reader and was acknowledged shortly thereafter by Adobe.

Adobe’s blog entry says that while denial of service (i.e. program crash) has been demonstrated, the post’s claims of remote code execution have not. They are investigating whether it’s actually possible to execute code. The company says that Acrobat is not affected by the problem, just Reader 9.2 and later and Adobe Reader 8.1.7 and later on Windows, Mac and UNIX.

The blog also describes how to use Reader’s JavaScript blacklist feature to disable the relevant API, which appears to be Doc.printSeps. I’ve looked and looked and cannot find a reference to say exactly what Doc.printSeps is supposed to do.

We will follow the problems and give more information as it becomes available.

View full post on Security Watch

Posted in SecurityComments Off