Security alert – Adobe Zero Day Vulnerability

from Zdnet

Malicious hackers are exploiting a zero-day (unpatched) vulnerability in Adobe’s ever-present PDF Reader/Acrobat software to hijack data from compromised computers.

According to an advisory from Adobe, the critical vulnerability exists in Adobe Reader and Acrobat 9.2 and earlier versions. It is being exploited in the wild.

[ SEE: How to mitigate Adobe PDF malware attacks ]

The company has activated its security response process but declined to offer any more details until an investigation is complete.

Unfortunately, the company did not provide any mitigation guidance for customers.

The folks at ShadowServer describe the situation as “very bad.”

We did not discover this vulnerability but have received multiple reports of this issue and have examined multiple different copies of malicious PDFs that exploit this issue. This is legit and is very bad.

Here’s what we know so far:

We can tell you that this exploit is in the wild and is actively being used by attackers and has been in the wild since at least December 11, 2009. However, the number of attacks are limited and most likely targeted in nature. Expect the exploit to become more wide spread in the next few weeks and unfortunately potentially become fully public within the same timeframe. We are fully aware of all the details related to the exploit but do not plan to publish them for a few reasons:

  1. There currently is no patch or update available that completely protects against this exploit.
  2. There is little to no detection of these malicious PDF files from most of the major Antivirus vendors.

With that said we can tell you that this vulnerability is actually in a JavaScript function within Adobe Acrobat [Reader] itself. Furthermore the vulnerable JavaScript is obfuscated inside a zlib stream making universal detection and intrusion detection signatures much more difficult.

In the interim, Adobe PDF Reader/Acrobat users are urged to immediately disable JavaScript:

Click: Edit -> Preferences -> JavaScript and uncheck Enable Acrobat JavaScript

Or, better yet, use an alternative PDF Reader software program.

[UPDATE: Adobe plans to patch this issue on January 12, 2010 ]

source: http://blogs.zdnet.com/security/?p=5119&tag=content;wrapper

#Windows7 – #ZeroDay Bug

In a security advisory , Microsoft acknowledged that a bug in SMB (Server Message Block), a Microsoft-made network file- and print-sharing protocol, could be used by attackers to cripple Windows 7 and Windows Server 2008 R2 machines.

The zero-day vulnerability was first reported by Canadian researcher Laurent Gaffie last Wednesday, when he revealed the bug and posted proof-of-concept attack code to the Full Disclosure security mailing list and his blog. According to Gaffie, exploiting the flaw crashes Windows 7 and Server 2008 R2 systems so thoroughly that the only recourse is to manually power off the computers.

At the time, Microsoft only said it was investigating Gaffie’s reports.

Then on Friday, it took the next step and issued the advisory. “Microsoft is aware of public, detailed exploit code that would cause a system to stop functioning or become unreliable,” Dave Forstrom, a spokesman for Microsoft security group, said in an e-mail. “The company is not aware of attacks to exploit the reported vulnerability at this time.”

Forstrom echoed Gaffie’s comments earlier in the week that while an exploit could incapacitate a PC, the vulnerability could not be used by hackers to install malicious code on a Windows 7 system.

Both SMBv1 and its successor, SMBv2, contain the bug. “Windows Vista, Windows Server 2008, Windows XP, Windows Server 2003 and Windows 2000 are not affected,” assured Forstrom.

Attacks could be aimed at any browser, not just Internet Explorer (IE), Microsoft warned. After tricking users into visiting a malicious site or a previously-compromised domain, hackers could feed them specially-crafted URIs (uniform resource identifier), and then crash their PCs with malformed SMB packets.

Microsoft said it may patch the problem, but didn’t spell out a timetable or commit to an out-of-cycle update before the next regularly-scheduled Patch Tuesday of Dec. 8. Instead, the company suggested users block TCP ports 139 and 445 at the firewall. Doing so, however, would disable browsers as well as a host of critical services, including network file-sharing and IT group policies.

Gaffie’s vulnerability was the first zero-day reported and confirmed by Microsoft in Windows 7 since the new operating system went on sale Oct. 22.

#Security #Alert #Apple New iPhone malware spotted

Hot on the heels of the ikee worm, a second piece of iPhone-related malware has appeared, which enables hackers to connect to any device that has been jailbroken and still has an unchanged root password.

Jailbreaking is a term used to define iPhones that have been hacked by users to enable software other than that available through the App Store to be installed.

The new malware takes advantage of the same vulnerability in the iPhone as the ikee worm and has been dubbed iPhone/Privacy.A by Mac security software house, Intego, which first discovered its existence.

The company explained on its blog that hackers use the tool by installing it on either their own or compromised third-party Macs, PCs, Unix and Linux-based machines – or even on iPhones themselves. The program scans networks that are accessible to it and, when it finds a jailbroken iPhone, breaks into it, steals data including email, contacts and music files, and copies them.

Unlike the ikee worm, which indicates its presence by changing the iPhone’s wallpaper, there is no obvious sign that Privacy.A has been installed. Standard, non-jailbroken, iPhones are not at risk but estimates suggest that between six and eight per cent of all such devices are jailbroken.

Intego indicated that it was not possible to protect iPhones from exploitation by the tool at this time and therefore advised users to stick to stock configurations or risk exposing themselves to known vulnerabilities being exploited by code circulating in the wild. The supplier has developed VirusBarrier X5 to detect and eradicate the hacker tool on potential host Macs, however.

The release of Privacy.A comes the day after a poll by security software vendor Sophos indicated that a huge three-quarters of respondents believed that the Australian student who wrote the ikee worm was justified because he helped raised awareness of security issues.

But Graham Cluley, senior technology consultant at the vendor, was proved right in saying at the time that the move had let the genie out of the bottle, increasing the likelihood of others writing “a far more dangerous version of the worm, which could have a much more dangerous payload”.

http://www.v3.co.uk/v3/news/2252939/iphone-malware-spotted

Trojan attack targets #Facebook users

Security experts have warned Facebook users to be on the alert after the discovery of a new password malware scam linked to the Bredolab Trojan.

Email security firm Websense claimed yesterday to have seen 90,000 instances of the attack, calling it a “new wave of malicious spoof email attacks”.

The messages purport to come from Facebook and are designed to appear as a simple password reset confirmation. However, a .exe file in the mail contains a hidden virus with a nasty payload.

Websense said in a security alert that the .exe file connects to two servers in order to download additional malicious files. The victim’s PC then joins the Bredolab botnet, giving hackers full control.

“This spam email attack is designed to play on the subject at the forefront of users’ minds: their password security,” said Carl Leonard, Websense security labs manager.

“Falling for this scam could lead to the unsuspecting user becoming part of a botnet. With therecent hack of web email accounts, users would feel more compelled to open an attachment that purports to hold their new password, as they’d be worried who changed it in the first place.

“Our advice for users is to always go directly to the web address you have an account with and reset passwords there.”

Graham Cluley, senior technology consultant at Sophos, confirmed that the malicious emails have been spammed out widely across the internet.

“The ‘from’ address has been forged, and the attached file is in fact a piece of malware. Sophos detects the malware as Troj/BredoZp-M or Mal/Bredo-A,” he wrote in a blog post.

“Don’t make life easy for the hackers hell-bent on infecting your computer, stealing your identity and emptying your bank account. Exercise caution when you receive unsolicited emails, and protect your computer with up-to-date security software.”