Are we secure here?

luntrus · Post by **luntrus** » Tue Jan 05, 2010 8:13 pm

Hi malware fighters,

It is an advanced attack: http://isc.sans.org/diary.html?storyid=7867
Hackers are using it on the popular BitTorrent site IsoHunt.com at the mo , so block these from your OS:
193.104.22.0/24 and 89.149.236.46 this was already blocked 193.104.22.0/24

PDF-files have become the hacker-tool of sorts and this is proven by new advanced attack. The shellcode used in this attack was only 38 bytes large. While the same heap spraying technique has been used inside other exploits, the second part of the shellcode has been added as another object to the PDF document. At first the code seems to be corrupted, but then Adobe Reader will open the whole of the document into memory, as well as the corrupted code. According to Bojan Zdrnja the benefits for the attacker are crystal clear. He easily may change what the exploit is to perform, without the first part of the shellcode needs any change to it.

This will make automatic analysis with a Javascript Interpreting Tool for added malcoded JavaScript impossible. Research has found up two hidden binairies and also that the PDF doc has all aboard to take over a machine completely. No "extra's" are to be downloaded. "Not only is this an example of a malicious PDF-document with an advanced payload, but also to show to what trouble malcreants will go to circumvent detection from av vendors and victims alike", according to the ISC-handler.
Are we NS-users secure against this?

luntrus

P.S. Anyway Adobe is now going for silent uploads a la GoogleChrome, hoping some added obscurity will also add some added security. At the moment I hope they will patch this one real soon. For a while I will use an alternative reader...

Damian

Post by **Giorgio Maone** » Tue Jan 05, 2010 8:29 pm

NoScript protect you against silent attacks from websites you don't know/trust, since all plugins included Acrobat are disabled by default on unknown/untrusted sites.
You can further harden this protection by checking NoScript Options|Embedded|Apply these restrictions to trusted sites as well, which will disable all the plugin content unless you specifically enable it by clicking on placeholders.

However nothing can protect you against social engineering attack, i.e. making you voluntarily open a certain PDF file either from a web page or from an email message.

Post by **therube** » Tue Jan 05, 2010 8:33 pm

Disable JavaScript in Adobe.
Update when they release the update.
(Keep on your toes for the next exploit against Adobe.)

Adobe.com CVE-2009-4324: Security Advisory for Adobe Reader and Acrobat

Post by **Alan Baxter** » Wed Jan 06, 2010 5:12 am

therube wrote:(Keep on your toes for the next exploit against Adobe.)

RSS feed: http://blogs.adobe.com/psirt/atom.xml
Foxit Software - Foxit Reader 3.0 for Windows
Disable JavaScript in Foxit Reader

computerfreaker · Post by **computerfreaker** » Fri Jan 22, 2010 8:23 am

Alan Baxter wrote:Foxit Software - Foxit Reader 3.0 for Windows
Disable JavaScript in Foxit Reader

Worse.
http://security-labs.org/fred/docs/pacs ... d-full.pdf (ironically a PDF talking about PDF vulns), page 105:

A word about the Readers
* Adobe Reader: each version has new (useful?) features...
* Obvious security is well handled
* Blacklist security
* Foxit Reader: many features are supported... with no security at all
* Preview, poppler: minimalist viewers with few supported features

I, for one, have dumped Foxit in favor of Sumatra PDF Reader, another minimalist viewer.
IMHO, fewer features means a smaller attack surface, which translates into fewer vulns.

InformAction Forums

Are we secure here?

Are we secure here?

Re: Are we secure here?

Re: Are we secure here?

Re: Are we secure here?

Re: Are we secure here?