Adobe exploits continue to be found

It’s hard to deny -- hackers love Adobe.  Adobe has over the last several years claimed many of the top security vulnerabilities due to its rich format which gives hackers many easy routes to take over computers.  This last month has been another rough one from Adobe by the looks of it -- and not just because of its recent layoffs.

EWEEK, a leading computer and security news site, became the latest victim of an Adobe exploit earlier this month.  Other sites owned by Ziff Davis, which owns eWeek, were also affected.  The Ziff Davis sites hosted an ad, which while looking legitimate redirected users through a series of iFrames to a pornographic website.  And that wasn't the end of the shenanigans, either.  The site then tried to download an Adobe PDF containing a known exploit, 'bloodhound.exploit.213.'

A patch had been previously released for the exploit, which affects Adobe Acrobat and Reader versions 8.12 and earlier, but many users still have yet to receive it.  Once the exploit gains access to the system, it installs a file named "winratit.exe" in the user's temporary files folder and two other files, according to security researchers at Websense. 

The files are activated when users are browsing the internet and they try to get users to buy fake antivirus software by redirecting them to phony sites.  Describes Websense, "The name of the rogue AV application is Anti-Virus-1. If the user chooses to register the rogue AV, a connection is made to hxxp://[removed], which has been set up to collect payment details."

Currently only Symantec, BitDefender, GData, nProtect, Secure-Web Gateway and AntiVir detect the exploit.  While little comfort to visitors of Ziff Davis pages, who might now be infected, eWeek and Ziff Davis announced, "The exploit in question did not compromise or any Ziff Davis Enterprise Web sites."

The offending ads have been removed from the system.

However, another security storm is brewing for Adobe, as well.  A new flaw has been found by security researchers at Symantec and the Shadowserver Foundation, and has since been released to the hacking public on the site  The new flaw is found in all versions of Adobe Acrobat and Reader, including the latest versions, Version 9 for both respectively.  The attack can compromise systems merely by opening a malicious PDF file, by using JavaScript to create a buffer overflow.

The attack works on Windows XP SP3 computers and likely works on OS X computers as well.  It is unknown if it works in Windows Vista.  Shadowserver writes that the attacks may just be starting to heat up for the exploit, stating, "Right now we believe these files are only being used in a smaller set of targeted attacks.  However, these types of attacks are frequently the most damaging, and it is only a matter of time before this exploit ends up in every exploit pack on the Internet."

The easy fix to prevent your system from being compromised is to disable JavaScript in Adobe Reader and Adobe Acrobat, for now.  Adobe is rushing to release a patch for Version 9, which is due by March 11.  Patches for Adobe 8 and 7 will follow.  For users eager for a "real" fix, for now, try Sourcefire security researcher Lurene Grenier's homebrew patch.  The patch replaces Adobe's flawed AcroRd32.dll file.  The only limitation is that it only works for Windows, so Mac users may be left with the door still open.

For system administrators, PhishLabs has also created a useful batch tool which sets a system registry key to disable JavaScript in Adobe Reader 9.0, which will come in handy for automating disabling JavaScript in Adobe across a network.

"We’re Apple. We don’t wear suits. We don’t even own suits." -- Apple CEO Steve Jobs
Related Articles
Adobe to Cut 8% of Workforce
December 4, 2008, 2:31 PM
Adobe Acrobat 9 Announced
June 2, 2008, 12:37 PM

Most Popular Articles

Copyright 2018 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki