Posts tagged ‘Zero Day’

« Previous Entries
Next Entries »

Zero Day in Adobe Acrobat and Reader Part 3 Oh Crap

February 24, 2009, 11:27 am

Secunia has verified disabling javascript does not provide full protection against the zero day in all supported versions of Adobe Acrobat and Adobe Reader.
The current exploit seen in the wild uses javascript to perform a heap spray for code execution. The vulnerability is in in a non-javascript function call. The original alert put out by Shadowserver states:

There may be a method for populating the heap with the necessary shellcode without JavaScript, however if such a technique exists I am not aware of it.

Secunia reports that they have “managed to create a reliable, fully working exploit (available for Secunia Binary Analysis customers), which does not use JavaScript and can therefore successfully compromise users, who may think they are safe because JavaScript support has been disabled.”
Even without this method of exploiting without javascript, a SANS commenter has pointed out the potential problem of disabling javascript. When a user opens a PDF containing javascript, they are prompted to re-enable javascript by clicking yes. How many users are really going to stop and consider the source of the file before re-enabling javascript.

Tags: , ,
Category: General  |  1 Comment

Zero Day in Adobe Acrobat and Reader Part 2

February 20, 2009, 10:37 pm

Adobe has posted a security advisory for the zero day in Adobe Acrobat and Reader that I blogged about yesterday.
They say they are

“planning to release updates to Adobe Reader and Acrobat to resolve the relevant security issue. Adobe expects to make available an update for Adobe Reader 9 and Acrobat 9 by March 11th, 2009. Updates for Adobe Reader 8 and Acrobat 8 will follow soon after, with Adobe Reader 7 and Acrobat 7 updates to follow”

Last time the updates for version 7 followed along about 8-10 months later if memory serves. Their little incentive for people to upgrade. I’m surprised they haven’t sunset-ed version 7 already. I’ve looked for software support life-cycle information from Adobe and haven’t found it.
The recommended mitigation for this vulnerability is disabling javascript until a patch is available. I’ve never seen anyone mention what effect that might have.
Every article says to disable javascript in Adobe through Edit -> Preferences -> javascript. In an enterprise you would want to know Is there a way to disable javascript in Adobe programatically (by pushing a registry entry via a login script, SMS or Group Policy).
Using Process Monitor from Sysinternals, I see that when you disable javascript in the GUI it sets HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\8.0\JSPrefs\bEnableJS to 0. Googling bEnableJS, I found that SANS ISC has a ADM file (used in Group Policy for the non-windows admin types) they posted during the last Adobe exploits back in November. It disables javascript for 6, 7 and 8 Acrobat and Reader.

Tags: , ,
Category: General  |  1 Comment

Zero Day in Adobe Acrobat and Reader

February 19, 2009, 11:48 pm

As linked from SANS ISC, shadowserver is reporting targeted attacks using a zero day vulnerability in Adobe Acrobat and Adobe Reader. Versions 8 and 9 are vulnerable.
Disable javascript in Acrobat/ Reader to avoid the code execution vulnerability, however the application will still crash.

Tags: , ,
Category: General  |  Comment

Targeted attacks on Wordpad Zeroday

January 20, 2009, 1:08 pm

Computer Associates blogged over the weekend on increasing attacks on the Wordpad zero day originally reported in December.
In the attack a malicious document is created with the extension .DOC, .RTF or .WRI. You must manually open the document for the attack to take place. If Office is installed, .DOC files will likely open in Microsoft Word which is not vulnerable. However .WRI files will likely still open in Wordpad.
Microsoft reports that this issue does not affect Windows XP Service Pack 3, Windows Vista. Really you should have that installed by now. To obtain this update go to http://update.microsoft.com.

Tags: , ,
Category: General  |  Comment

Jesper writes up Antivirus XP 2008

August 22, 2008, 11:22 pm

Jesper Johansson writes about Antivirus XP 2008 with some really good screenshots in a article in TheReg.
You don’t need a zero day when users have admin rights and can be tricked into installing the malware.

Tags: ,
Category: Awareness  |  2 Comments

Article:Flash Ads launch clipboard hijack

August 18, 2008, 7:08 pm

Link
We all know that malicious ads can be hosted by legit sites. Generally being fully patched (including third party apps) is a good protection against most attacks other than social engineering.
Ryan Naraine of The Zero Day Blog over at ZDNet reports that malicious Adobe Flash ads are being used to hijack the clipboard until the browser is closed.
I kind of expected to be protected against this because I set IE to prompt before allowing programmatic access to the clipboard. A proof of concept quickly disproved that theory.
Further searching the feeds I read regularly finds mention of this a week ago in the Spywaresucks blog.
Then this guy says he’s seen it back in July.
The domain injected into the clipboard is for rogue software antivirus 2008 xp. The domain has been used for bad going back to at least April 2008.

Tags: , , ,
Category: Spyware  |  Comment

New Adobe Flash Vulnerability

May 27, 2008, 11:50 pm

There were multiple reports today of an unpatched Adobe Flash vulnerability currently being exploited.
Symantec Bugtraq reports that this exploitation is fairly widespread.SQL injection has been used to insert code onto otherwise legitimate websites that results malware loading to exploit Flash.
Not a lot to be done. You could crawl into the Firefox/noscript cave. I’d suggest having that as an option, but in general keep the antivirus updated and make sure you you’re Flash is patched so you aren’t exploited by old attacks. Buckle your safety belts it could get bumpy.
UPDATE:
Further reports indicate that this is not a zero day vulnerability. It is exploiting unpatched versions of Flash. Make sure every browser installed is running the current version of flash. IE and Mozilla based browsers use a different Flash install.

Tags: , , , , ,
Category: General  |  Comment

Good for Office 2003 sp3

January 16, 2008, 9:17 pm

David LeBlanc takes the occasion of a Excel zero day to say see I told you so. Excel 2003 SP3 is not vulnerable.
I’d like to know if SP3 is not vulnerable because of the disabling of support for old file formats, or if its not vulnerable due to the other assorted fixes in the service pack. David implies its that latter saying ” We did a _lot_ of work fuzzing our apps and fixing bugs. While I’ll never claim that SP3 is unbreakable, it’s a lot more robust than Office 2003 was previously, and this probably won’t be the last time we see an advisory over something that affects SP2 but not SP3.”
I was just thinking if its not vulnerable because obsolete file formats are disabled (security over backwards compatibility), then people who follow information in this KB to enable those file types are still vulnerable. I guess we’ll find out when the patch is released and more information is available. Until then I’m going to go put a bug in someones ear at work about upgrading to SP3. We can’t afford to wait until all of our other apps support Office 2007.

Tags: ,
Category: General, Microsoft  |  Comment

Tiger Team on CourtTV

December 31, 2007, 9:38 pm

I just saw that CourtTV (CourtTV is TruTV as of 1/1/2008) had a pen testing show called Tiger Team that aired a couple of times last week. GrumpySecurityGuy calls it “It Takes a Thief” with a security twist.
Don’t go in expecting this show to be about a Red Team in a dark room somewhere running zero day attacks while the Symantec Security NOC is soiling themselves because green lights turn to red on a big board on the wall. It doesn’t look like we’re going to see Chloe say “its ok we’ve got the Cisco Self-Defending network”. The episodes I’ve seen have had the team attempt to penetrate small very secure businesses. You don’t need to bust through a firewall or wait for a phishing reply when you can just hand someone a USB key and ask them to print out a document from it.
The team is has a social engineer, a computer security guy and a physical security guy (if I remember the introductions correctly). In the first caper they take down security at a high end car dealership. In the second episode they go after an elite exclusive Jewelry design shop. Both episodes were a heck of a lot of fun.
Preview:

Hopefully we’ll be seeing more of these episodes. I don’t see any upcoming episodes in the program guide data. I also couldn’t find the episodes on the CourtTV website. I had to bittorrent them (kids don’t try that at work).

Tags: , , ,
Category: General, Physical Security  |  Comment

Another Vulnerability in Quicktime? Oh Come on

November 25, 2007, 10:18 am

US CERT has posted an alert about a zero day vulnerability in Quicktime

US-CERT is aware of a vulnerability in Apple QuickTime that may allow an attacker to execute arbitrary code or cause a denial-of-service condition on an affected system.
Until a security fix becomes available, US-CERT encourages users and administrators to follow the Securing Your Web Browser document to help mitigate the security risk.

That seems about right. I just pushed the last security fix from Quicktime out to the first test group.

Tags: , ,
Category: General  |  Comment
« Previous Entries
Next Entries »