Adobe 0-day in the wild - again

Published: 2009-12-15
Last Updated: 2009-12-16 20:15:36 UTC
by Johannes Ullrich (Version: 3)
10 comment(s)

Update2:  : It looks like Adobe will not be releasing an update to resolve this issue until Jan 12!  Find their full advisory with the release date here ==> http://www.adobe.com/support/security/advisories/apsa09-07.html

Handler on Duty: Rob VandenBrink

------------------------------------------------

Update1:  One of the samples that we had access shows the following behavior that could help you to identify infections in your network/system:

The exploit has the executable included: AdobeUpdate.exe - Size 9.356k (hash 069175846447506b3811632535395bc3 ).

This executable will download another file called ab.exe (and save it as winver32.exe on C:windows folder). You may also check your logs for the website hxxp://foruminspace.com . This file is hosted there.

The current sample has the following specs: Size 386,016k and hash 686738eb5bb8027c524303751117e8a9 .

-------------------------------------------------

Handler on Duty: Pedro Bueno (pbueno //&&// isc. sans. org)

Twitter: twitter.com/besecure

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------

It's not ground hog day, but it surely feels like it. The Shadowserver Foundation [1] is reporting about spotting another Adobe 0-day in the wild

Adobe acknowledged the issue in a PSIRT post [2].

The quick summary: The is currently no patch available and commonly used anti-virus products appear to be mostly missing it. The bug requires JavaScript. Turning off JavaScript support appears to be your best defense. I could recommend that you don't open any malicious PDFs. But it would probably be as useful to go and hide in a cave until all Adobe bugs got fixed.

Please let us know if you find any malicious PDFs like this, and let the Adobe PSIRT know as well.

[1] http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20091214

[2] http://blogs.adobe.com/psirt/2009/12/new_adobe_reader_and_acrobat_v.html

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: 0day adobe pdf
10 comment(s)

Important BIND name server updates - DNSSEC

Published: 2009-12-15
Last Updated: 2009-12-15 13:47:50 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Over the first half of 2010, ICANN/IANA plan to sign the root zone [1]. The DNSSEC signature will use SHA256 hashes, which are not supported in older but common versions of BIND. If you run BIND 9.6.0 or 9.6.0P1, you may have issues with these signatures. The bug was fixed in BIND 9.6.1.

From the ISC.org mailing list:

ISC has arranged for two test zones to be made available which are
signed using the new algorithms which are listed in dlv.isc.org.

You can test whether you can successfully resolve these zones using the
following queries.

    dig rsasha256.island.dlvtest.dns-oarc.net soa
    dig rsasha512.island.dlvtest.dns-oarc.net soa

[1] http://www.icann.org/en/announcements/announcement-2-09oct08-en.htm
[2] https://www.isc.org/software/bind/dnssec

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: bind dns dnssec
0 comment(s)

Comments

What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
https://defineprogramming.com/
https://defineprogramming.com/
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
Enter corthrthmment here...

Diary Archives