bit-tech.net

Adobe flaw leads to Trojan attack

Adobe flaw leads to Trojan attack

This latest security breach in Adobe's software may bring some red faces at the company, as the hole has been public since December 2008.

Adobe is suffering from a two-fer of security flaws at present, with researchers revealing an attack which utilises both Acrobat Reader and Flash Player to infect targeted PCs with a Trojan horse.

According to an article over on CNet, the vulnerability exists in Adobe Reader 9.1.2 and Adobe Flash Player 9 and 10 and has been around since at least December 2008 – although it's only within the last two weeks that security researchers have evidence of it being exploited in the wild.

The attack relies on the target opening a specially crafted SWF file, either as part of a web page or an e-mail, or opening a PDF file containing an embedded SWF. Once opened, the flaw is triggered and 'dropper' code executed which installs the malware – in the case of the current exploit, a Trojan horse package.

Both Windows XP and Vista users are potentially at risk, but those using User Account Control in Vista will be protected from the Trojan being installed. For more protection, the US-CERT organisation suggests renaming the files authplay.dll and rt3d.dll from your Adobe Reader directory, or disabling Flash content entirely from within your browser.

Because of the way the attack is coded, it's cross-browser – meaning it's not just Internet Explorer users at risk – although, as usual, Firefox uses equipped with the NoScript plugin will be safe from attack via untrusted sites.

Adobe's own advisory states that versions of Flash Player for all operating systems – including Windows, Mac, Linux, and UNIX – are vulnerable to a denial of service attack, although it only appears to be the Windows which is capable of dropping files and being further exploited. The company has also promised a fix for the issue in Flash by the 30th of July, with a fix for the Adobe Reader flaw due the day after.

Are you amazed that Adobe waited more than half a year – and until the flaw was being exploited in the wild – to patch the hole, or is the company triaging its issues as best it can? Share your thoughts over in the forums.

12 Comments

Discuss in the forums Reply
Paradigm Shifter 26th July 2009, 12:55 Quote
Presumably those people using FlashBlock will have an extra layer of protection also?
Javerh 26th July 2009, 13:00 Quote
Good thing I use Foxit Reader.
Shagbag 26th July 2009, 14:01 Quote
Quote:
Are you amazed that Adobe waited more than half a year – and until the flaw was being exploited in the wild – to patch the hole, or is the company triaging its issues as best it can? Share your thoughts over in the forums.
I'm not amazed. Microsoft ignored critical IE bugs for months which it's now only getting around to fixing so why should Adobe be any different? While the non-profit Mozilla Foundation can fix critical JavaScript flaws within days and confirm the existence or not of further bugs over a weekend, it doesn't surprise me that a couple of the big, for-profit corporations are tardy with the unprofitable parts of their customer support, viz. providing patches for free.
sear 26th July 2009, 14:16 Quote
I use Foxit as well. Nice program if you can stomach all the ads and stuff they try to shove down your throat when you install it.

Seriously, the solution is stop using Adobe's shitty programs, and stop giving them money. They produce good software when it comes to functionality and design, but it is almost always buggy and has tons of security vulnerabilities, and they have a very slow response rate in fixing those issues. One wonders why something like Flash needs to open up so many holes to the operating system to begin with.
nitrous9200 26th July 2009, 14:57 Quote
Quote:
Originally Posted by Shagbag
I'm not amazed. Microsoft ignored critical IE bugs for months which it's now only getting around to fixing so why should Adobe be any different? While the non-profit Mozilla Foundation can fix critical JavaScript flaws within days and confirm the existence or not of further bugs over a weekend, it doesn't surprise me that a couple of the big, for-profit corporations are tardy with the unprofitable parts of their customer support, viz. providing patches for free.

I'm looking at the Secunia advisory page for IE8 and it's only affected by one unpatched bug rated "Less critical". I don't know if all of the bugs from past IE versions are a problem in the latest version, in which case IE would be terribly insecure. Simple solution? Use another browser!
I think MS is slower to patch because they have to test more thoroughly, seeing as IE is an integral part of Windows (especially on XP) and they can't go around breaking things. Firefox on the other hand is just a 3rd party program and fixes don't have to be tested quite as much (also they have had to push out updates to fix something the last one broke).
aggies11 26th July 2009, 15:51 Quote
Vulnerabilities in flash are why I started using Flashblock ( didn't work, as some code still gets executed?) and eventually No Script. I feel bad for blocking the advertisements for the sites I enjoy, but the web is just too dangerous now a days.

I never found any discussion/acknowledgedment of the original vulnerabilities (early Flash 9) so I'm certainly not surprised that more exist
Shagbag 26th July 2009, 16:19 Quote
Quote:
Originally Posted by nitrous9200
I'm looking at the Secunia advisory page for IE8 and it's only affected by one unpatched bug rated "Less critical". I don't know if all of the bugs from past IE versions are a problem in the latest version, in which case IE would be terribly insecure. Simple solution? Use another browser!
I think MS is slower to patch because they have to test more thoroughly, seeing as IE is an integral part of Windows (especially on XP) and they can't go around breaking things. Firefox on the other hand is just a 3rd party program and fixes don't have to be tested quite as much (also they have had to push out updates to fix something the last one broke).
The vuln relates to IE operating on XP.
The vuln was originally reported on December 13, 2007.
Microsoft said they'd fixed it on July 14, 2009 and that fix was only a partial fix, with - what we're told is a complete fix - coming out this week.
18 months is one hell of a test cycle for a single vuln.
IE6 and IE7 account for over a third of web browsers. Back in December 2007 over 50% of users were using IE6 and IE7, so at least a third of internet users have been vulnerable for a period of over 18 months.
Less than 1 in 10 internet users currently use IE8.
IE8 was only officially released in March of this year so it does not surprise me that there are few reported vulns or exploits for it. The source code is not available for public viewing.
FF is the most popular browser in use today.
I'm not aware of any updates that have been issued to fix a problem with a previous update. Perhaps you could provide a link?
I totally agree that another browser should be used but you don't ever see that suggestion in Microsoft's official advisories ;).
Aracos 27th July 2009, 02:23 Quote
Quote:
Originally Posted by aggies11
Vulnerabilities in flash are why I started using Flashblock ( didn't work, as some code still gets executed?) and eventually No Script. I feel bad for blocking the advertisements for the sites I enjoy, but the web is just too dangerous now a days.

I never found any discussion/acknowledgedment of the original vulnerabilities (early Flash 9) so I'm certainly not surprised that more exist

What adverts does it block? I personally think flash adverts should burn in hell for all eternity, not everyone has uber fast CPU's to give spare clocks to flash adverts :P
I use Adblock Plus, Flashblock and noscript for an all round fast browsing experience :D

Who actually uses adobe reader? Seriously it's just a pile of bloatware, I don't wanna wait minutes for my damn PDF to load up! >:( I can understand if you have the version that creates PDF files but it's crap for PDF viewing, Sumatra PDF FTW :)
HourBeforeDawn 27th July 2009, 04:23 Quote
+1 for firefox users with no script ^__^
airchie 27th July 2009, 09:30 Quote
Quote:
Originally Posted by article
although, as usual, Firefox uses users equipped with the NoScript plugin...
NoScript pwns again. :)

For those of you saying Foxit et al are the best alternatives, they have been hit by the same vulnerabilities as Adobe in the past.
Specifically the JS bug a few months back.
So while I agree that Foxit is better than Adobe's PDF viewer and likely to have less security issues due to a smaller user-base if nothing else, its not a blanket solution for security risks.
Shagbag 1st August 2009, 07:25 Quote
For those that still think MS is slower to patch because they have to test more thoroughly:

Not so thorough on this occasion: Microsoft 'update' breaks Office for Mac
ScottMac 30th June 2010, 13:35 Quote
Dear Mr. Adobe:

This past Friday, I was seated in front of my computer, minding my own business and preparing for one of the busiest weekends of my career, when you smacked me in the eyes with a Trojan.

Yes--A LOT was at stake, and my system was suddenly reduced to a useless box of bolts.

Fortunately, kind and diligent people across the Internet were responding, helping each other figure out how to repair YOUR problem, while YOU did Absolutely Nothing to address the disasters you caused.

Did you Enjoy your weekend? Get in a little golf? Maybe have a wholesome cookout, or spend a few days drunkenly crawling around Atlantic City, gambling away the money you stole from your customers?
Yesterday morning, you sent me some kind of "update", but interestingly enough, it would not load.
I see this morning, you have sent me another. It's like receiving a Christmas Card from Bernie Madoff.

I will be watching your stock, Mr. Adobe, with the same kind of bemused awe of a bystander watching a fleeing criminal fall down three flights of stairs.

Mr. Adobe, you Must Recognize the kind people who are donating their time, skills and knowledge to help those in need. Without them, you would be hiding under your bed, trembling at the din of angry customers you wilfully let down and ignored.

You're fired.
------------------------------------------------
THANKS, Bit-Tech! And THANKS to your Kind and Helpful forum posters who helped so many of us survive!
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums