Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Adobe Reader/Acrobat Critical Vulnerability

Published: 2009-05-04
Last Updated: 2009-05-04 17:43:16 UTC
by Tom Liston (Version: 1)
1 comment(s)

A critical vulnerability has been discovered in the JavaScript handling within Adobe Reader and Acrobat versions 9.1 and earlier.  According to the announcement, Adobe expects to make available Windows updates for Adobe Reader versions 9.X, 8.X, and 7.X and Acrobat versions 9.X, 8.X, and 7.X, Macintosh updates for Adobe Reader versions 9.X and 8.X and Acrobat versions 9.X and 8.X, as well as Adobe Reader for Unix versions 9.X and 8.X, by May 12th, 2009.  Additionally, there is a second vulnerability specific to Adobe Reader for Unix that will be resolved by this update as well.

In the meantime, you can perform mitigation steps by disabling JavaScript in Reader and Acrobat:

  1. Launch Acrobat or Adobe Reader.
  2. Select Edit>Preferences
  3. Select the JavaScript Category
  4. Uncheck the ‘Enable Acrobat JavaScript’ option
  5. Click OK

Ref:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-1492
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-1493

Remember back when we used to tell people to PDF documents because it was safer than dealing with MS Office?

(Thanks to "roseman" for the tip...)

Tom Liston - InGuardians - Handler on Duty
 

1 comment(s)

Putting the ED _back_ in .EDU

Published: 2009-05-04
Last Updated: 2009-05-04 17:02:08 UTC
by Tom Liston (Version: 1)
0 comment(s)

The Internet is a wonderful thing.  Think of all the ways it has changed how we do things. Over the weekend, I needed to find some information on a particularly nasty weed we had growing in our woods.  Back in the day, it would have entailed a trip to the local library and a pretty good possibility of not finding anything at all.  Now, all I need is a little bit of Google-Fu, and I was able to find a web page with way more information on this plant than I ever wanted.

There are web pages out there for EVERYTHING (thus Rule #34), and at this point, pretty much anyone can stand up a website.  Take a course or two at the community college, shell out a few bucks for an "HTML for Dummies" book, and heck, you're a "web designer."

Therein lies the problem.

Knowing how to "design" a page o' dancing gerbils does not a secure site make. (<-- Note: while grammatically correct, like Yoda do I sound...) Once you've mastered the fine art of the <blink> tag, you need to actually check your site to make sure that one of the evil denizens of the 'net hasn't altered your masterpiece.

In the brilliant precursor to this sequel, I tried to point out a little bit o' Google-dorking that found some really interesting things on the sites of various institutions of higher learning.  This time around, I'll throw some .gov sites under the bus as well.

Try tossing the following query at big-G: "site:.edu filetype:html buy viagra"

Last time I did this, I didn't name names... but I'm older and more curmudgeonly now, so here is a cross-section of some of the .edu sites that made the "little blue pill" hit parade:

  • The Division of Social Sciences at UC Santa Cruz
  • The Space Systems Simulation Laboratory at Virginia Tech
  • Indiana University-Purdue University Fort Wayne
  • The University of Tennessee - Knoxville
  • The Biology Department (how fitting!) at the University of Central Florida
  • The University of Khartoum (ev1l h@x0rs don't just whack universities in the U.S.)
  • The Northern Marianas College (see...)
  • etc..., etc..., etc...

What's kinda' cool is that since Google takes some time to "forget," you can also see the folks who WERE whacked for long enough to get spidered by the Google bot, but have since cleaned things up.

And let's not forget our fine government.  Nothing makes a taxpayer more proud than to know that their government websites are flogging fixes for flagging phalluses (ain't the alliteration sweet?).  Head back to Google and search for: "site:.gov filetype:html order viagra online"

Let's see... who do we have here?

  • The City of Ingleside, Texas (and they say Virginia is for lovers...)
  • The Oklahoma House of Representatives (still not Virginia...)
  • Yadkin County, North Carolina (oh... really, REALLY close...)
  • The New Hampshire Police Standards & Training Council (hehehehe...)

So, if any of you happen to have some free time on your hands, give those Google queries a shot.  Play around with different combinations of words and different combinations of search constraints. Drop a nice, polite note to the folks in charge of the compromised sites and point out the issues... but don't be surprised if they get a bit ticked off at you: there is a long, time-honored tradition in the IT world of blaming the messenger...

So what's the deal here?  While I haven't had (and don't have) the time to do an in-depth investigation, my guess would be that these are a result of having a Content Management System (CMS) get "managed" by someone else, either through a weak password or through a vulnerability in the CMS itself (these things are notoriously buggy...) Generally these "additions" are housed in a <span> marked with "visibility:hidden," and so a cursory glance at the site shows nothing amiss.  If no one bothers to look at the actual code of the page, the altered pages can hang around forever-- making your university, unit of government, or business look pretty darned silly.

The moral of the story: CHECK YOUR SITE, MONITOR YOUR LOGS, THEN DO IT ALL OVER AGAIN. LATHER, RINSE, REPEAT.

Tom Liston - InGuardians, Inc. -Handler on Duty

Keywords:
0 comment(s)

Facebook phishing malware

Published: 2009-05-04
Last Updated: 2009-05-04 14:47:00 UTC
by Tom Liston (Version: 1)
1 comment(s)

Looks like there may be a piece of malware out there is sending out messages to folks on Facebook trying to trick them into visiting a facsimile "Facebook" login page to steal credentials.  The phishing site is currently on "junglemix.in," so you may want to block that site.  More details as we figure this thing out. (Thanks to Kent for the heads up!)

1 comment(s)
Diary Archives