Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Clearing some things up about Adobe - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Clearing some things up about Adobe

The word “Adobe” conjures up a number of meanings here.  When we get an email that mentions just “Adobe,” we fill in the blank with one of the following:

  • Adobe the Company
  • Adobe Acrobat
  • Adobe Acrobat Reader
  • Etc.


This invariably leads to confusion.

A similar confusion exists surrounding the recently reported Google incident (http://isc.sans.org/diary.html?storyid=7969) especially when Adobe released a similarly worded announcement: http://blogs.adobe.com/conversations/2010/01/adobe_investigates_corporate_n.html
This led some folks (including me) to the conjecture that the attack involved the use of a malicious PDF file.  I’ve seen examples where this group used malicious PDFs, but nobody provided an example of the PDF file used in THIS attack.  Adobe’s (the company) ASSET security team released additional details yesterday (http://blogs.adobe.com/asset/2010/01/further_details_regarding_atta.html) where they assert that Adobe Acrobat Reader was not involved in the incident, that instead it was an IE vulnerability detailed here: http://siblog.mcafee.com/cto/operation-%E2%80%9Caurora%E2%80%9D-hit-google-others/

So, to recap: Adobe (the company) was attacked, but it wasn’t by leveraging an Adobe product.

So let’s look instead at how their products ARE being used to compromise systems…

The folks over at FireEye have a nice blog entry on PDF malware obfuscation and how it’s being used by the Neosploit exploit kit to distribute Mebroot: http://blog.fireeye.com/research/2010/01/pdf-obfuscation.html

Fortunately CVE-2009-4324 has been patched.

A little unsolicited feature request from Adobe for Acrobat Reader: take a gander at that little no-script add-on to Firefox.  I understand that when I download an interactive PDF-form that it’s going to need some javascript to run.  I just want to have an opportunity to click “no” when I get an unexpected PDF while browsing blogs.
 


Kevin Liston

kliston@isc.sans.org

Kevin Liston

289 Posts
ISC Handler
Thought it is good add while it is not related: Last update in Dec 09 for Adobe*, the certificate for the download executable to upgrade the vulenrable version was not valid! It appears it is now valid upto 11/04/2012.
Ramu

12 Posts
One thing that makes it even MORE confusing is that the last version of "Adobe Acrobat Reader" was 5.1. Versions from 6.0 on have been officially known as "Adobe Reader" (no Acrobat in the name anywhere). Thus, if you're running Adobe Acrobat Reader, you're probably really in need of an update!

So, the products are "Adobe Reader" (which displays PDF files) and "Adobe Acrobat" (in Standard, Professional, Professional Extended, etc. variants).

One trick I use is to add a .REG file to the Run key in the registry that turns off JavaScript for Reader/Acrobat whenever a user logs on to the machine. If they access a PDF file that contains JavaScript, they'll get a pop-up asking to turn it on. It turns on JavaScript indefinitely, but they next time their machine gets rebooted JavaScript will get turned back off. It doesn't eliminate the problem (and most users won't think before turning it on, so it's mostly only valuable for aware users), but it does reduce the chances. Finally, one other note - if you use the USPS site to buy postage for packages, it will silently fail to print the label if you have JavaScript turned off. You have to turn it back on and restart your browser. Another workaround involves leaving JavaScript turned off and disabling the display of PDF files inside the browser (which forces the PDF file to open in the full Adobe Reader application instead of in a hidden IE window, and then it can be printed manually).
Anonymous

Sign Up for Free or Log In to start participating in the conversation!