backtop


Print 13 comment(s) - last by rcc.. on Feb 26 at 6:19 PM

Adobe exploits continue to be found

It’s hard to deny -- hackers love Adobe.  Adobe has over the last several years claimed many of the top security vulnerabilities due to its rich format which gives hackers many easy routes to take over computers.  This last month has been another rough one from Adobe by the looks of it -- and not just because of its recent layoffs.

EWEEK, a leading computer and security news site, became the latest victim of an Adobe exploit earlier this month.  Other sites owned by Ziff Davis, which owns eWeek, were also affected.  The Ziff Davis sites hosted an ad, which while looking legitimate redirected users through a series of iFrames to a pornographic website.  And that wasn't the end of the shenanigans, either.  The site then tried to download an Adobe PDF containing a known exploit, 'bloodhound.exploit.213.'

A patch had been previously released for the exploit, which affects Adobe Acrobat and Reader versions 8.12 and earlier, but many users still have yet to receive it.  Once the exploit gains access to the system, it installs a file named "winratit.exe" in the user's temporary files folder and two other files, according to security researchers at Websense. 

The files are activated when users are browsing the internet and they try to get users to buy fake antivirus software by redirecting them to phony sites.  Describes Websense, "The name of the rogue AV application is Anti-Virus-1. If the user chooses to register the rogue AV, a connection is made to hxxp://[removed]-site.info/, which has been set up to collect payment details."

Currently only Symantec, BitDefender, GData, nProtect, Secure-Web Gateway and AntiVir detect the exploit.  While little comfort to visitors of Ziff Davis pages, who might now be infected, eWeek and Ziff Davis announced, "The exploit in question did not compromise eWEEK.com or any Ziff Davis Enterprise Web sites."

The offending ads have been removed from the system.

However, another security storm is brewing for Adobe, as well.  A new flaw has been found by security researchers at Symantec and the Shadowserver Foundation, and has since been released to the hacking public on the site Milw0rm.com.  The new flaw is found in all versions of Adobe Acrobat and Reader, including the latest versions, Version 9 for both respectively.  The attack can compromise systems merely by opening a malicious PDF file, by using JavaScript to create a buffer overflow.

The attack works on Windows XP SP3 computers and likely works on OS X computers as well.  It is unknown if it works in Windows Vista.  Shadowserver writes that the attacks may just be starting to heat up for the exploit, stating, "Right now we believe these files are only being used in a smaller set of targeted attacks.  However, these types of attacks are frequently the most damaging, and it is only a matter of time before this exploit ends up in every exploit pack on the Internet."

The easy fix to prevent your system from being compromised is to disable JavaScript in Adobe Reader and Adobe Acrobat, for now.  Adobe is rushing to release a patch for Version 9, which is due by March 11.  Patches for Adobe 8 and 7 will follow.  For users eager for a "real" fix, for now, try Sourcefire security researcher Lurene Grenier's homebrew patch.  The patch replaces Adobe's flawed AcroRd32.dll file.  The only limitation is that it only works for Windows, so Mac users may be left with the door still open.

For system administrators, PhishLabs has also created a useful batch tool which sets a system registry key to disable JavaScript in Adobe Reader 9.0, which will come in handy for automating disabling JavaScript in Adobe across a network.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Foxit
By Screwballl on 2/25/2009 9:34:33 AM , Rating: 3
This is why I refuse to use Adobe if possible... and since Adobe Acrobat and Reader is such a resource hog... I have fully switched to Foxit Reader. It is smaller, faster and runs without problems.

http://www.foxitsoftware.com/




RE: Foxit
By Athlex on 2/25/2009 12:34:43 PM , Rating: 2
I've been using Foxit's reader as well and really like how quick and small it is compared to Adobe's.


RE: Foxit
By The0ne on 2/25/2009 1:05:03 PM , Rating: 2
Thanks. Will check it out :)


RE: Foxit
By TomZ on 2/25/2009 9:21:27 PM , Rating: 1
Yeah, Acrobat reader consumes 20MB on my machine with a document loaded - what a hog - and it takes a fraction of a second to load.
</sarcasm>


RE: Foxit
By B3an on 2/26/2009 1:32:10 AM , Rating: 2
Thats what i was thinking. What are these people running? PII + 128MB RAM?


Another Goofy Headline
By rcc on 2/25/2009 5:39:48 PM , Rating: 1
No, it's not thanks to Adobe, it's thanks to the scumbag losers that created the problem. Yes, they were exploiting vulnerabilities in Adobe's software, which Adobe should and is working to fix.

Sensationalist headlines are fine, as long as they are accurate.




RE: Another Goofy Headline
By fic2 on 2/25/2009 6:18:08 PM , Rating: 3
Headline says - Thanks to Adobe Flaw, not Thanks to Adobe. Or at least it does now.


RE: Another Goofy Headline
By rcc on 2/26/2009 6:19:07 PM , Rating: 2
Same, same. In this case


Cross-platform Flash Player vulnerability, too
By mechBgon on 2/25/2009 10:55:34 AM , Rating: 2
A vulnerability in Flash Player also needs fixed:

http://forums.anandtech.com/messageview.aspx?catid...




By fic2 on 2/25/2009 1:53:55 PM , Rating: 2
Flashblock


Well Then
By Fanon on 2/25/2009 9:20:08 AM , Rating: 2
It's nice to know which ads were the culprit. This happened to me a few weeks back where a PDF I didn't request was opened. Thankfully I was running version 9 with the latest updates. After the second time, I decided to turn off automatic opening of PDF documents.




Foxit
By Screwballl on 2/25/2009 9:34:56 AM , Rating: 2
This is why I refuse to use Adobe if possible... and since Adobe Acrobat and Reader is such a resource hog... I have fully switched to Foxit Reader. It is smaller, faster and runs without problems.

http://www.foxitsoftware.com/




By lemonadesoda on 2/26/2009 5:46:52 AM , Rating: 2
quote:
hxxp://[removed]-site.info/,

By hiding the actual URL address, we now dont have the information to add such site to our HOSTS file for blocking.

If, for possible legal reasons, you dont want to show the name of the scamming site (ODD, I really think you should), then at least LINK to a webpage where the authors have the balls to do so.




"If a man really wants to make a million dollars, the best way would be to start his own religion." -- Scientology founder L. Ron. Hubbard

Related Articles
Adobe to Cut 8% of Workforce
December 4, 2008, 2:31 PM
Adobe Acrobat 9 Announced
June 2, 2008, 12:37 PM













botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki