Category: Widely Deployed Software
- Adobe Reader X (10.1.1) and earlier
- Adobe Reader 9.4.6 and earlier
View full post on @RISK: The Consensus Security Alert
View full post on National Cyber Security
Fake emails used in December 6 and December 7 attacks attempt to trick Adobe users into opening malware-laden attachments. According to two separate Sophos reports, attackers sent one email to Adobe InDesign users, and another email to Adobe Reader and X Suite users. Both emails contain attachments claiming to be part of a critical “Adobe update,” but contain malware instead. However, Adobe does not issue updates via email, and never have, according to the Adobe Online Piracy page. Following are some facts about the attacks, facts about the fake emails, and other important information.
Who did the Adobe malware attacks target?
The attacks contain similar wording, similar malware, and come only a day apart. The first attack was an email aimed at Adobe Reader and Adobe X Suite Advanced users. According to the first Sophos report, it contains the Trojan known as, “Troj/BredoZp-GY.” The second attack was an email aimed at Adobe InDesign users, and it contains the Trojan known as, “Troj~Bredo-MY,” according to the second Sophos report.
What did the fake Adobe Reader and X Suite Advanced emails say?
According to the first Sophos report, the emails to Reader and X Suite Advanced users claimed to be from Adobe Systems Incorporated, and claimed to contain a new version or a critical upgrade to an existing version located in the attached file. However, the notification reference numbers, exact message wording, and the last word in the attached file names are different in each email. The attachment file name reads, “AdobeSystems-Software_Critica Update Dec_2011,” and then a random word or number comes after it, and then the ZIP file extension (.zip) is added. In reality, this attachment contains an executable program file that Sophos determined to be a malware program with the same name, but swapping the “.zip” file extension for the “.exe” file extension.
What did the fake Adobe InDesign emails say?
According to the second Sophos report, the emails to Adobe InDesign users claimed to contain an updated license key to the Adobe InDesign Creative Suite 4 (CS4) program. Each email contains an attachment that Sophos determined to be malware-laden. The attachment is labeled, “License_key_ID,” contains a random number, and the ZIP file extension (.zip). The subject line stays the same with each of the emails and reads, “InDesign CS4 License Key,” while claiming to be from, “Adobe Systems Incorporated,” just as the Reader and X Suite Advanced attack emails do.
How dangerous is the malware contained in the emails?
According to Sophos, both Trojans create fake Windows registry keys, and create files within the “svchost.exe,” process, which is necessary for any Windows-based computer to operate normally. The Trojans were also identified as variants of the Zeus Trojan, so they are quite dangerous. According to PC World, Zeus, detected in 2006, allowed 60 of its creators to get away with stealing more than $200 million by the time they were charged with numerous crimes in 2010.
What else should users know about the attacks?
While most Adobe users know Adobe does not issue updates via email, some are fooled because the emails look official. Nevertheless, on its Online Piracy page Adobe states that anyone receiving an email claiming to be from Adobe and asking for personal information should report that email as fraud. Otherwise, if a computer is infected, using an already installed and up to date security program that can remove the Zeus Trojan should work to remove these variants.
Jessica (JC) Torpey is a self-taught computer technician with more than 10 years experience in the field. JC’s passion is studying the various political and business aspects of the technology industry. Combining that knowledge with her love of computers, JC uses it to influence her writing.
View full post on National Cyber Security » Virus/Malware/Worms
Security researchers at Symantec today confirmed that exploits of an unpatched Adobe Reader vulnerability targeted defense contractors, among other businesses.
“We’ve seen [this targeting] people at telecommunications, manufacturing, computer hardware and chemical companies, as well as those in the defense sector,” said Joshua Talbot, senior security manager in Symantec’s security response group, in an interview Wednesday.
Symantec mined its global network of honeypots and security detectors – and located email messages with attached malicious PDF documents – to come to that conclusion.
The inclusion of defense contractors was not unexpected.
Yesterday, when Adobe warned Reader and Acrobat users that hackers were exploiting a “zero-day” bug on Windows PCs, it credited Lockheed Martin’s security response team and the Defense Security Information Exchange (DSIE), a group of major defense contractors that share information about computer attacks, with reporting the vulnerability.
The DSIE is composed of companies that are also part of what the federal government calls the “Defense Industrial Base,” or DIB. Among the DIB’s members are some of the country’s largest defense contractors, including Boeing, General Dynamics, Lockheed Martin, Northrup Grumman, Pratt Whitney and Raytheon.
Symantec found attack emails dated 1 November and 5 November, 2011.
It also published an image of a redacted email of the attack’s bait – the promise of a 2012 guide to policies on new contract awards – that it said was a sample of the pitches that tried to dupe recipients into opening the attached PDF document.
The message’s subject heading read, “FY12 XXXXX Contract Guide,” and the body simply stated, “FY12 XXXXX contract guide is now available for all contractors of XXXXX. The new guide contains update information of XXXXX policy on contract award process.
Opening the attached attack PDF also executed the malicious code – likely malformed 3-D graphics data – hidden in the PDF, compromising the targeted PC and letting the attacker infect the machine with malware.
That malware, Talbot said, was identical to what was used in early 2010 by hackers exploiting a then-unpatched bug in Microsoft’s Internet Explorer 6 (IE6) and IE7.
Symantec labeled the malware “Sykipot” last year.
“It’s not overly sophisticated,” said Talbot. “It’s a general-purpose backdoor. One of the interesting things about it is that it does use a form of encryption of the stolen information, which helps the attack hide what information is stolen.”
Sykipot encrypts the pilfered data after it has been retrieved from the victimised firm but while it is still stored on the company’s network, as well as when it’s transmitted to a hacker-controlled server.
Those command-and-control (CC) servers are still operating, Talbot said.
Because of the similarities – using Sykipot, which isn’t widely in play, and exploiting zero-day vulnerabilities – Symantec suspects that the same group of hackers who launched the attacks against IE6 and IE7 last year were also responsible for the Reader-based attacks seen last month.
Microsoft patched the IE6 and IE7 vulnerability on 30 March, 2010, in an emergency, or “out-of-band,” update.
Although Symantec found evidence of only the early-November attacks, Talbot said he wouldn’t be surprised if the criminals fired off another information-stealing campaign between now and next week, when Adobe promised to patch the bug in Reader and Acrobat 9.x on Windows, the versions that have been exploited in the wild.
Talbot declined to specify the geographic location of the Sykipot CC servers, or speculate on the origin of the Reader exploits.
Adobe will patch the Windows versions of Reader and Acrobat 9.x by the end of next week, and has promised to deliver fixes to Reader and Acrobat 9.x to Mac and Unix users, and to Reader and Acrobat 10.x for all platforms, next month.
Symantec has shipped detection signatures for the rogue PDFs to its customers, said Talbot.
Article source: http://rss.feedsportal.com/c/270/f/3551/s/1ac43c33/l/0Lnews0Btechworld0N0Csecurity0C33237640Csymantec0Econfirms0Eadobe0Ereader0Eexploits0Etargeted0Edefence0Ecompanies0C0Dolo0Frss/story01.htm
View full post on National Cyber Security » Computer Hacking
Tuesday morning, we received a number of reports from readers indicating that the SSL certificate used for “settings.adobe.com” was out of date. Initially, we had a hard time reproducing the finding. But some of our handlers in Europe were able to see the expired certificate.
The expired certificate was valid from Oct 6th 2009 to Oct 6h 2010. Which is somewhat unusual. Typically, we would expect a certificate that “just expired yesterday” and someone forgot to renew it. In this case, it looked more like someone installed an older certificate instead of the new one.
The correct certificate was pretty much exactly a year old and valid for another year. Everything indicated that the Adobe certificates indeed expire in the first week of October.
In the end, we narrowed the affected geography down to Europe and contacted Adobe. Adobe responded promptly and as of this evening, the problem appears to be fixed. Thanks everybody who helped via twitter narrowing down the affected geography and thanks to the readers reporting this initially.
Article source: http://isc.sans.edu/diary.html?storyid=11737&rss
View full post on National Cyber Security
It might be common, but that doesn’t mean I’m not allowed to wail against it – especially since I was not familiar with this particular case. As it turns out, several of Adobe products’ download pages have opt-out checkboxes to also install Google Chrome. This was spyware-like behaviour when Apple did it with Safari and the iPhone Configuration Utility, and it is still spyware-like behaviour when Adobe and Google do it with Chrome.
Since I haven’t downloaded Adobe Flash separately for a while now (Chrome has it included anyway), I hadn’t yet noticed this, but as it turns out, when you go to Flash’ download page, a checkbox is marked which automatically downloads and installs Google Chrome alongside Flash (unless you already have Chrome installed). The checkbox is marked by default, so it’s opt-out instead of opt-in. Further DuckDuckGoing reveals that Adobe Reader X, too, has Chrome bundled with it.
I have no issues with these kinds of bundles – or with Apple using its updater to offer Safari to Windows users – but only if it’s opt-in. In other words, the user should have to specifically select a checkbox – if he doesn’t, no additional spyware should be installed.
You can expect this kind of behaviour from sleazy toolbars and porn sites – but not from Google and Adobe. The only reason I’m highlighting this here as much as I’m doing is because this sleazeball and slimey behaviour needs to stop. Chrome is perfectly capable of getting around on its own (unlike Safari for Windows, which sucks beyond belief), and this only reflects badly upon an otherwise excellent browser.
Google and Adobe, please stop this.
View full post on National Cyber Security » Spyware/ Cyber Snooping
The US-CERT Current Activity web page is a regularly updated summary
of the most frequent, high-impact types of security incidents currently being reported to the US-CERT.
Last reviewed: September 9, 2011 09:11:32 EDT
added September 9, 2011 at 08:18 am
Adobe has issued a prenotification advisory indicating that it plans to release updates for Adobe Reader and Acrobat to address multiple vulnerabilities. The advisory indicates that updates for Windows and Macintosh will be available on September 13, 2011.
US-CERT encourages users and administrators to review the Adobe Advisory.
US-CERT will provide additional information as it becomes available.
added September 8, 2011 at 02:04 pm
Microsoft has issued a Security Bulletin Advance Notification indicating that its September release will contain five bulletins. These bulletins will have the severity rating of important and will be for Microsoft Windows and Microsoft Office. Release of these bulletins is scheduled for Tuesday, September 13, 2011.
US-CERT will provide additional information as it becomes available.
added August 30, 2011 at 08:40 am | updated August 30, 2011 at 11:27 am
US-CERT is aware of public reports of the existence of at least one fraudulent SSL certificate issued by DigiNotar. This fraudulent SSL certificate could be used by an attacker to masquerade as any subdomain of google.com.
Mozilla will be releasing new versions of Firefox for desktop (3.6.21, 6.0.1, 7, 8, and 9) and mobile (6.0.1, 7, 8, and 9). Additional information can be found in the Mozilla Security Blog.
Microsoft has removed the DigiNotar root certificate from the Microsoft Certificate Trust List. This change affects all versions of Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2. Microsoft will be releasing a future update for Windows XP and Windows Server 2003 to address this issue. Additional information can be found in Microsoft Security Advisory 2607712.
Google Chrome users are protected from this attack due to Chrome’s built-in certificate pinning feature. Google also plans to disable the DigiNotar certificate authority. Additional information can be found in the Google Security Blog.
US-CERT encourages users and administrators to apply any necessary updates to help mitigate the risks. US-CERT will provide additional information as it becomes available.
added August 29, 2011 at 12:05 pm
In the past, US-CERT has received reports of phishing scams and malware campaigns related to topics that are of high-interest to the U.S. Government or news media, such as Hurricane Irene. Users’ systems have been compromised by receiving and accessing phishing emails with subject lines that seem relevant to a high-interest subject and appear to originate from a valid sender. US-CERT reminds users to remain vigilant for potential malicious cyber activity seeking to capitalize on interest in Hurricane Irene. Users are advised to exercise caution in handling any email with subject line, attachments, or hyperlinks related to Hurricane Irene, even if it appears to originate from a trusted source.
US-CERT encourages users and administrators to use caution when encountering these types of email messages and take the following preventative measures to protect themselves from phishing scams and malware campaigns:
added August 25, 2011 at 12:54 pm
Cisco has released three security advisories to address vulnerabilities affecting the Cisco Unified Communications Manager, the Cisco Unified Presence Server, and the Cisco Intercompany Media Engine. These vulnerabilities may allow an attacker to disclose sensitive information or cause a denial-of-service condition.
US-CERT encourages users and administrators to review the following Cisco security advisories and apply any necessary updates to help mitigate the risks.
added August 23, 2011 at 08:07 am
Google has released Chrome 13.0.782.215 for Linux, Mac, Windows, and Chrome Frame to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code.
US-CERT encourages users and administrators to review the Google Chrome Releases blog entry and update to Chrome 13.0.782.215 to help mitigate the risks.
added August 17, 2011 at 07:57 am
The Mozilla Foundation has released Firefox 6 and Firefox 3.6.20 to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code, operate with escalated privileges, or obtain sensitive information.
added August 10, 2011 at 01:22 pm
RIM has released a security advisory to address a vulnerability in the BlackBerry MDS Connection Service and BlackBerry Messaging Agent for the BlackBerry Enterprise Server. The vulnerability may allow an attacker to execute arbitrary code or gain unauthorized access to the BlackBerry Enterprise Server.
US-CERT encourages users and administrators to review the BlackBerry security advisory KB27244 and apply any necessary updates to help mitigate the risks.
added August 10, 2011 at 09:59 am
Adobe has released security bulletins to alert users of critical and important vulnerabilities in multiple products. The following products are affected:
Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, take control of an affected system, or perform a cross-site scripting attack.
US-CERT encourages users and administrators to review the Adobe security bulletins and apply any necessary updates to help mitigate the risks.
added August 4, 2011 at 01:25 pm | updated August 9, 2011 at 02:38 pm
Microsoft has released updates to address vulnerabilities in Microsoft Windows, Internet Explorer, Microsoft Office, Microsoft .NET Framework, and Microsoft Developer Tools as part of the Microsoft Security Bulletin Summary for August 2011. These vulnerabilities may allow an attacker to execute arbitrary code, operate with elevated privileges, cause a denial-of-service condition, or disclose sensitive information.
US-CERT encourages users and administrators to review the bulletin and follow best-practice security policies to determine which updates should be applied.
View full post on National Cyber Security