Vulnerability

First, make a note: after Adobe updates, restart your machine immediately to remove the Adobe Download Manger – it can be a vector for malcode. Now, back to our story. Aviv Raff has discovered a vulnerability with Adobe’s web site in combination with its Download Manager, an ActiveX script that is used to download updates for Reader and Flash. After a Reader or Flash update the download manager remains running on a user’s machine until it is rebooted. Malicious operators could exploit it to download their code of choice. ...

Adobe has published a security bulletin about security vulnerabilities in Adobe Flash Player. In all versions up to the recent 10.0.42.34 Flash objects could evade the Sandbox which would allow for unauthorized cross domain requests. The vulnerability is rated critical. The updated version 10.0.45.2 as well of a fixed build of Adobe AIR 1.5.3.1930 is available in the flash download center and the air download center, respectively. Users should apply the update ASAP and administrators in companies should roll the fixed software out soon, too. ...

Microsoft has announced in Advisory (980088) that there has been a publicly disclosed vulnerability in Internet Explorer, versions 5 through 8. Users not running Internet Explorer in Protected Mode are at risk of having information, in files with predictable names, accessed by attackers. This vulnerability cannot be exploited to execute remote code or used for a denial-of-service attack. The largest group of users at risk are Windows XP users running IE without Protected Mode enabled. Internet Explorer on Vista and Windows 7 has Protected Mode enabled by default. ...

Early this afternoon Microsoft released an out-of-band security bulletin patching the vulnerabilities in Internet Explorer. The fix has been at the top of the news since the vulnerabilities it treats are believed to have led to the compromise of Google and about 30 other companies last week in what has been called the “Aurora” attack. The governments of France and Germany suggested that Internet users switch to a different browser until the vulnerability was fixed. ...

Now here’s an interesting turn of events. In the middle of all the attention to the “Operation Aurora” attacks, we’re now seeing new targeted attacks that are using this very event as the lure to get the targets to open a malicious attachment! Here’s the email we saw: The attachment Chinese cyberattack.pdf (md5: 238ecf8c0aee8bfd216cf3cad5d82448) is a PDF file which exploits the CVE-2009-4324 vulnerability in Adobe Reader (again, this is the one which was patched last week). ...

We just blogged about a highly targeted attack against military contractors. Now we saw one against the intelligence sector. This attack was done with a PDF file. Again. It was targetting the CVE-2009-4324 vulnerability. Again. When opened, the PDF file (md5: c3079303562d4672d6c3810f91235d9b) looked like this: What really happens in the background? Just like last time, the exploit code drops a backdoor in a file called Updater.exe (md5: 02420bb8fd8258f8afd4e01029b7a2b0). Now, what is the document talking about? President’s day? DNI Information Sharing Environment? We don’t know, but a quick web search tells us that apparently there is going to be an Intelligence fair & expo in Germany next month. ...

Adobe is currently investigating a new security hole in Reader and Acrobat. Cybercriminals are currently spamming emails with prepared documents which lead to an infection of the computer with malware. The PDF document abuses a buffer overflow in a new place within the Adobe programs. There is a JavaScript object included in the PDF which checks the Reader Version – the exploit works with Adobe Reader starting at version 8. The code it injects downloads malware which it stores in the file “winver32.exe” in the Windows directory. This file drops 3 further files which Avira detects as BDS/Ientlcp.A, TR/Agent.faa and TR/Agent.HO. ...