|
We just received word that there is a report of a 0-day exploit for Adobe Acrobat/Reader being exploited in the wild. Secunia has a brief write up and here is the link to the original advisory. The exploit was discovered in a phishing attempt with the subject of "David Leadbetter's One Point Lesson". Adobe has issued an advisory and references CVE-2010-2883 (which just shows as reserved at this point with no details). It does effect the latest version of Acrobat/Reader and Adobe is investigation a patch. More to come on that. The exploit in the wild I'm aware of causes a crash in Acrobat/Reader and then tries to open a decoy file. So the good news is that, as of right now, it's a "loud exploit". Early VirusTotal scans also had partial coverage under various forms of "Suspicious PDF" categories. At this point, standard precautions apply (don't open PDFs from strangers) and this can probably only really be used in a phishing style scenario. Will update this dairy as needed with developments. -- |
John 255 Posts ISC Handler |
| Subscribe |
Sep 8th 2010 8 years ago |
|
Adobe is killing us! Secure Document Format (SDF) please!!! (I think I read something about that recently.)
|
John 88 Posts |
| Quote |
Sep 8th 2010 8 years ago |
|
John wrote "Secure Document Format (SDF) please!!!"
Should that not be Secure Portable Document Format (SPDF)? Security is paramount but don't forget the platform/device independency. |
Chris 6 Posts |
| Quote |
Sep 8th 2010 8 years ago |
|
Seriously. This is getting ridiculous. Maybe they could hurry up on that sandboxing at least.
|
Chris 4 Posts |
| Quote |
Sep 8th 2010 8 years ago |
|
Does anyone know if FoxIt is more secure? (I guess, how could it be worse than Adobe Reader at this point?) I've made the switch on my personal PC, and I'm thinking of switching my clients as well.
|
Chris 1 Posts |
| Quote |
Sep 9th 2010 8 years ago |
|
I'm not sure Foxit is more secure but there is less bloat in it and I agree how could it be less secure.
I switched my users to it without issue. |
PW 63 Posts |
| Quote |
Sep 9th 2010 8 years ago |
|
As with many or all of the recent Adobe PDF hacks, you can stop this one by disabling JavaScript within Reader/Acrobat.
The Metasploit blog has an excellent technical write-up today: http://blog.metasploit.com/2010/09/return-of-unpublished-adobe.html |
Andrew 41 Posts |
| Quote |
Sep 9th 2010 8 years ago |
|
Receiving active infection at a rate of 1 every 5 seconds.
Subject: Here you have Body: Hello: This is The Document I told you about,you can find it Here.http: / / www . share d ocuments . com / library / PDF_Document21 . 025542010 . pdf Please check it and reply as soon as possible. Cheers, (Not the the domain name has only one D in it.) SB |
Spam 5 Posts |
| Quote |
Sep 9th 2010 8 years ago |
|
Update: the real link (:-S) is:
http: // members . multimania . co . uk / yahoophoto / PDF_Document21_025542010_pdf . scr SB |
Spam 5 Posts |
| Quote |
Sep 9th 2010 8 years ago |
|
Since some of the most well known virus companies are not detecting the scr file according to virus totals, can anyone say what the file does if anything at this point?? We got blasted about 2 hrs ago. I have one machine offline until I can tell what it does.
|
Spam 1 Posts |
| Quote |
Sep 9th 2010 8 years ago |
|
We got hit with this an hour ago and it spread like wildfire. It seems to spam all exchange distribution lists with the original e-mail. It was sending to every one of our distribution lists. The exchange server is halted now until we can contain this.
|
Spam 1 Posts |
| Quote |
Sep 9th 2010 8 years ago |
|
We're talking about two different things here.
A major auditing firm sent us some emails with the link that SB posted, however it's to a .SCR file even though the link in the email says .PDF (as he corrected in a later post). They use McAfee and McAfee added detection as of today. Their writeup for this non-PDF infection is at http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=275352#none It appears to require local administrator rights to do its thing since it installs into %WINDIR%. "Least privilege" stops another one even if the AV vendors can't. FWIW, we tested it against the six anti-malware systems we use. Bitdefender and Kaspersky on the proxy server both stopped the download if the link was clicked. Every engine we have enabled on Forefront for Exchange let the email go right through because it was just a link. The Sophos email gateway did the same because it was just a link. These systems update every hour. The two engines on the proxy server marked it as: Bitdefender: Gen:Trojan.Heur.rm0@fnBStPoi Kaspersky: Suspicious:HEUR:Trojan.Win32.Generic |
Anonymous |
| Quote |
Sep 9th 2010 8 years ago |
|
This appears to also disable McAfee. TrendMicro doesn't see it at all.
|
PhilBAR 24 Posts |
| Quote |
Sep 9th 2010 8 years ago |
|
I think I remember reading something about Adobe products using .scr files for scripting. Is this correct?
|
PhilBAR 24 Posts |
| Quote |
Sep 9th 2010 8 years ago |
|
I think I remember reading something about Adobe products using .scr files for scripting. Is this correct?
|
PhilBAR 24 Posts |
| Quote |
Sep 9th 2010 8 years ago |
|
For everyone mentioning the "Here you have" user click trojan above, unless it gets updated, it has nothing to do with the Adobe Advisory. About the only thing that can be said about it is that it is a link claiming to be a pdf that turns out to be otherwise.
Back on topic, EMET 2.0 is supposed to take care of the "Not so" Cooltype.dll exploit. Quote:Current exploits in the wild target the Windows platform. Customers using Adobe Reader or Acrobat 9.3.4 or earlier on Windows can utilize Microsoft's Enhanced Mitigation Evaluation Toolkit (EMET) to help prevent this vulnerability from being exploited. For more information on EMET and implementing this mitigation, please refer to the Microsoft Security Research and Defense blog. Note that due to the time-sensitive nature of this issue, testing of the functional compatibility of this mitigation has been limited. Therefore, we recommend that you also test the mitigation in your environment to minimize any impact on your workflows. |
PhilBAR 57 Posts |
| Quote |
Sep 12th 2010 8 years ago |
|
So, decided to get a jump on the week and try out EMET to protect against Acrobat exploits.
On Windows 7 EMET applies all the protections to Acrobat Reader. On Windows Server 2003 Terminal Server it shows the green ball that Acrobat Reader is being run with EMET and tells you that DEP is system opt-in, ASLR and SEHOP are not available (expected) On Windows XP SP3 it's a total strikeout. Tells you that DEP is system opt-in, ASLR and SEHOP are not available (expected), but no program gets shown running with EMET. (Huh?) Well, its cross your fingers and hope time... |
PhilBAR 57 Posts |
| Quote |
Sep 13th 2010 8 years ago |
|
The 'Here you have' case is a totally different case, althought the malicious attachment in that case has .pdf extension (....pdf.scr)
|
Juha-Matti 5 Posts |
| Quote |
Sep 15th 2010 8 years ago |
|
John wrote "Secure Document Format (SDF) please!!!" +1
|
Juha-Matti 1 Posts |
| Quote |
Oct 26th 2010 8 years ago |
Sign Up for Free or Log In to start participating in the conversation!
