Acrobat Reader Vulnerabilities - FreeBSD Security Benchmark - Phishing Season

Published: 2004-08-17
Last Updated: 2004-08-18 18:51:06 UTC
by Cory Altheide (Version: 1)
0 comment(s)
Acrobat Reader Buffer Overflows - Linux/Windows command execution

iDEFENSE has released two advisories regarding vulnerabilities in Adobe's Acrobat Reader software. The first is in the Acrobat Reader for UNIX systems, and allows arbitrary code execution via a buffer overflow in the handling of uuencoded documents.

http://idefense.com/application/poi/display?id=125&type=vulnerabilities

The second is a buffer overflow in the ActiveX component of Acrobat Reader for Windows. This vulnerability poses a much greater threat, for a number of reasons. First, according to the iDEFENSE, the overflow is still present in current releases of Acrobat Reader. Secondly, the number of target systems is much greater than for the UNIX Acrobat Reader vulnerability. Finally, and most importantly, the advisory contains what is essentially an roadmap for any would-be exploit developer.

http://idefense.com/application/poi/display?id=126&type=vulnerabilities

FreeBSD Security Benchmark

CIS has released a benchmark for the FreeBSD operating systems, which is, according to the site, "intended for FreeBSD versions 4.8 and later." I believe this means FreeBSD 4.8-4.10 (Production) and does *NOT* include the 5.x series, which is still currently a "new technology release."



http://www.cisecurity.org/bench_freebsd.html

UPDATE: Mark your calendars, true believers. I was wrong! According to CISecurity's John Banghart, the benchmark has been tested on FreeBSD 4.8 and 5.2.

Phishing Season

ISC reader Brandon Noble sent in the following:

"Quite a few people think they could NEVER get caught in one of these phishing scams. The truth is that the social engineering is very good.

Some of your readers may benefit from this little phishing test from Mail Frontier."

http://survey.mailfrontier.com/survey/quiztest.html

I took the test myself, and found it to be a fairly accurate sampling of common purely email-based phishing lures found in the wild - however, keep in mind that the quiz is the product of an anti-phishing product. Unfortunately, phishermen (phisherpersons?) are upping the ante, and using browser-specific spoofing vulnerabilities to increase the apparent authenticity* of their schemes. On that note, the prolific Liu Die Yu has discovered Yet Another Internet Explorer Spoofing Vulnerability. The gory details (and a proof of concept test) are available at the URL below.

http://secunia.com/advisories/12304/

In a discussion of anti-spoofing capabilities on the ISC mailing list, handler George Bakos pointed out the free anti-spoofing tool Spoofstick. Spoofstick is a browser extension for IE and Firefox that simply displays the current domain name. This is a simple yet elegant solution to many of the spoofing attacks currently employed by phishing sites. For more information (and to download the Spoofstick) head to the following URL.

http://www.corestreet.com/spoofstick

UPDATE: Several ISC readers have noted that SpoofStick currently fails to display the correct domain for the most recent IE spoofing attack as implemented in the aforementiond Secunia proof-of-concept. I am in contact with Corestreet in an attempt to rectify this.

UPDATE: Within two hours of contacting Corestreet the ISC received the following communcation from Phil Libin, Corestreet's president:

SpoofStick for IE v. 1.02 (available from our website as of about an hour
ago) fixes exactly this bug.
================

Cory Altheide

Handler-on-Duty

================

*I was going to say "decrease the phishiness" instead of "increase the apparent authenticity" but I'm willing to bet that ISC's audience had pretty much had their fill of cute perversions of "phishing" by the middle of the paragraph in question.
Keywords:
0 comment(s)

Comments

What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
https://defineprogramming.com/
https://defineprogramming.com/
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
Enter corthrthmment here...

Diary Archives