Browsing Posts tagged Adobe

Conficker’s cure? So what happens now? Is this the end, NO.

March 31, 2009 at 3:04 pm Brett A. Scudder No comments

FYI…

Original URL: http://www.channelregister.co.uk/2009/03/30/conficker_signature_discovery/

Busted! Conficker’s tell-tale heart uncovered

Researchers find super worm cure, just in time

By Dan Goodin in San Francisco

Posted in Software & Security, 30th March 2009 11:02 GMT

—————————–

My thoughts, feedback and input.

You have a few hours to work on this and I know you’re going to be vigilant about it. Let’s save what and who we can with our best efforts. Time is of the essence so get to it. I will be a bit busy for the next few hours checking on new vendor signature releases and info about this, dealing with my internal network and doing some last minute checking and changes so please pardon any delays in my responses for a while.

So now that signatures are being released for it is it over?

No it’s not. This is a staged effort. The signatures will be created, disseminated throughout the various security scanners, anti-virus and anti-malware vendor products but then comes the updating and patching of the systems.

If you are running an older version of a vendor product I strongly suggest you upgrade it now.

If you are running any definitions other than March 31^st 2009 for your anti-virus and anti-malware solution then you’re not fully protected yet.

If you are still missing Microsoft Windows patches (any and all of them) then there’s still some level of risk for you.

If you’re running vulnerable applications like Adobe Reader, Acrobat, Firefox, iTunes, QuickTime, web browsers, media players and other applications check to make sure you’re not missing any vendor patches. The developers have released secure versions recently.

I still stick to my original take on this which is, if you are already infected just wipe and start over. There’s no real guarantee that you will fully get rid of the infection and the various pieces it comes with. If not, you have a good set of protective layers to work with.

Keep in mind that a signature based solution works off detecting via signature and not anomaly based threats. As Conficker is a blended threat, I expect to see some aspects of it still evading some security solutions if not configured properly for effective use. Some people have their solutions configured with out of the box settings which may not be optimally configured for a critical threat like this with such a rapid change effect rate.

I know this is short timing but it is good timing to get the word out and get people to act quickly. Be kind and help to spread the word to your family, friends, partners, associates, peers and anyone you converse with. This is critical info that needs to be shared.

Let’s get to it people. I’ve been up since Saturday helping people with their systems and talking about this and I plan to get some sleep over the next day or two.

Good luck and please keep me posted on any new developments and happenings around this once April 1^st kicks in.

~Brett A. Scudder~

The IT Security Attaché

IT Security Alerts, Notices and Advisories, My Writings, The Attaché, Work Adobe, Adobe Acrobat, Adobe Reader, Blended Threats, Conficker Worm, Fixes, iTunes, Media Players, Patches, QuickTime, Signatures, Vulnerabilities, Vulnerable Apps, Web Browsers

PDF Exploits in the wild, patch people, PATCH. For the love of a safer internet please PATCH your applications

March 30, 2009 at 9:09 am Brett A. Scudder No comments

This just in from Sunbelt Software.

————————————-

Fwiw, we’re seeing a fair number of PDF exploits in the wild. There are versions attaching vulnerabilities in both Adobe and FoxIt readers.

VIPRE has robust coverage for these threats. As an example, here is a Virustotal report for this morning on an in-the-wild sample:

http://www.virustotal.com/analisis/cebedbb05df33870556200cf45fb510e

I would still encourage all of you to make sure that Acrobat readers in your company are updated with the latest versions from Adobe. These exploits are quite nasty, as some will infect with just a mouse-over on a file.

Alex Eckelberry

CEO Sunbelt-Software

www.sunbelt-software.com

IT Security Alerts, Notices and Advisories Adobe, FoxIt, Patch, Patches, PDF Exploits

New ransomware holds Windows files hostage, demands $50

March 26, 2009 at 4:17 pm Brett A. Scudder No comments

New ransomware holds Windows files hostage, demands $50
‘Sobering’ turn by crooks ‘doesn’t bode well,’ says researcher
Gregg Keizer

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9130539&source=NLT_AM

March 25, 2009 (Computerworld) Cybercrooks have hit on a new twist to their aggressive marketing of fake security software and are duping users into downloading a file utility that holds users’ data for ransom, security researchers warned today.

While so-called scareware has plagued computer users for months, those campaigns have relied on phony antivirus products that pretend to trap malware but actually only exist to pester people into ponying up as much as $50 to stop the bogus warnings.

The new scam takes a different tack: It uses a Trojan horse that’s seeded by tricking users into running a file that poses as something legitimate like a software update. Once on the victim’s PC, the malware swings into action, encrypting a wide variety of document types — ranging from Microsoft Word .doc files to Adobe Reader PDFs — anytime one is opened. It also scrambles the files in Windows’ “My Documents” folder.

When a user tries to open one of the encrypted files, an alert pops up saying that a utility called FileFix Pro 2009 will unscramble the data. The message poses as an semiofficial notice from the operating system. “Windows detected that some of your MS Office and media files are corrupted. Click here to download and install recommended file repair application,” the message reads.

Clicking on the alert downloads and installs FileFix Pro, but the utility is anything but legit. It will decrypt only one of the corrupted files for free, then demands the user purchase the software. Price? $50.

“This does look like a new tactic,” said David Perry, the global director of education at antivirus vendor Trend Micro Inc. “But all online fraud is just minor variations of classic con games. This is just the ‘Bank Examiner’ played out on the Internet.”

That classic con, said Perry, typically involves a swindler posing as an official, a bank examiner or an FBI agent who asks for help in an investigation. The swindler convinces the mark to withdraw money from the bank — it’s needed to catch the nonexistent crook in the act — and promises to return the funds at the end of the case. Of course, the money vanishes, along with the grifter.

On the Web, data-hostage scams like this are called “ransomware” for obvious reasons. This isn’t the first time the tactic has been used, but it is remarkably polished, said Perry. “We’ve not seen ransomware with this level of sophistication,” he said.

Users who have fallen for the FileFix Pro 2009 con do not have to fork over cash to restore their files, according to other researchers, who have figured out how to decrypt the data. The Bleeping Computer site, for instance, has a free program called “Anti FileFix” available for download that unscrambles files corrupted by the Trojan horse. And security company FireEye Inc. has created a free online decrypter that also returns files to their original condition.

Alex Lanstein, a malware researcher at FireEye who blogged about FileFix Pro 2009 last week, called the turn from scareware to ransomware “sobering.”

“Although we broke the encryption, it’s a sobering realization of the state of malware that it is now actively extorting users by holding their data ransom,” Lanstein said. “Despite this version of FileFix being trivial to crack, it does not bode well for the future of Internet malware.”

If ransomware follows a similar path as scareware, criminals will be hustling to mimic FileFix Pro. According to some estimates, crooks make as much as $5 million a year pushing fake antivirus software.

IT Security Alerts, Notices and Advisories, Online Articles for Discussion, The Attaché Adobe, Adobe Reader, Anti FileFix, Anti-Virus, Cybercrooks, Cybersecurity, Encryption, FBI, FileFix Pro, FireEye Inc., PDFs, Ransomeware, Scareware, Trend Micro, Trojans

Critical Adobe Security bulletin – Security Updates available for Adobe Reader and Acrobat

March 22, 2009 at 7:42 pm Brett A. Scudder No comments

Security bulletin

Security Updates available for Adobe Reader and Acrobat

Release date: March 18, 2009

Vulnerability identifier: APSB09-04

CVE number: CVE-2009-0658, CVE-2009-0927

Platform: Windows and Macintosh

Summary

Critical vulnerabilities have been identified in Adobe Reader 9 and Acrobat 9 and earlier versions. These vulnerabilities would cause the application to crash and could potentially allow an attacker to take control of the affected system. There are reports that one of these issues is being exploited (CVE-2009-0658).

Adobe recommends users of Adobe Reader and Acrobat 9 update to Adobe Reader 9.1 and Acrobat 9.1. Adobe recommends users of Acrobat 8 update to Acrobat 8.1.4, and users of Acrobat 7 update to Acrobat 7.1.1. For Adobe Reader users who can’t update to Adobe Reader 9.1, Adobe has provided the Adobe Reader 8.1.4 and Adobe Reader 7.1.1 updates.

These updates resolve the issue from Security Advisory APSA09-01 and Security Bulletin APSB09-03. Users who have previously updated to Adobe Reader 9.1 and Acrobat 9.1 for Windows and Macintosh need not take any action. Adobe now plans to make available Adobe Reader 9.1 and Adobe Reader 8.1.4 for Unix by March 24.

Affected software versions

Adobe Reader 9 and earlier versions
Adobe Acrobat 9 Standard, Pro, and Pro Extended and earlier versions

Solution

Adobe Reader

Adobe recommends Adobe Reader users update to Adobe Reader 9.1, available here:
http://get.adobe.com/reader/

Users with Adobe Reader 7.0 through 8.1.3, who can’t update to Adobe Reader 9.1, should update to Adobe Reader 8.1.4 or Adobe Reader 7.1.1, available from one of the following links:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh

Acrobat 9

Adobe recommends Acrobat 9 Standard and Acrobat 9 Pro users on Windows update to Acrobat 9.1, available at the following URLs:
http://www.adobe.com/support/downloads/detail.jsp?ftpID=4375
http://www.adobe.com/support/downloads/detail.jsp?ftpID=4382

Adobe recommends Acrobat 9 Pro Extended users on Windows update to Acrobat 9.1, available here:
http://www.adobe.com/support/downloads/detail.jsp?ftpID=4381

Adobe recommends Acrobat 9 Pro users on Macintosh update to Acrobat 9.1, available here:
http://www.adobe.com/support/downloads/detail.jsp?ftpID=4374

Acrobat 8

Adobe recommends Acrobat 8 users on Windows update to Acrobat 8.1.4, available here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows

Adobe recommends Acrobat 8 users on Macintosh update to Acrobat 8.1.4, available here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh

Adobe recommends Acrobat 3D Version 8 users on Windows update to Acrobat 3D Version 8.1.4, available here:
http://www.adobe.com/support/downloads/product.jsp?product=112&platform=Windows

Acrobat 7

Adobe recommends Acrobat 7 users on Windows update to Acrobat 7.1.1, available here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows

Adobe recommends Acrobat 7 users on Macintosh update to Acrobat 7.1.1, available here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh

Adobe recommends Acrobat 3D Version 7 users on Windows update to Acrobat 3D Version 7.1.1, available here:
http://www.adobe.com/support/downloads/product.jsp?product=112&platform=Windows

Severity rating

Adobe categorizes this as a critical update and recommends that users apply the update for their product installations.

Details

Critical vulnerabilities have been identified in Adobe Reader and Acrobat 9 and earlier versions. These vulnerabilities would cause the application to crash and could potentially allow an attacker to take control of the affected system.

Adobe recommends users of Acrobat and Adobe Reader update their product installations to versions 9.1, 8.1.4, or 7.1.1 using the instructions above to protect themselves from potential vulnerabilities.

These updates resolve the JBIG2 filter buffer overflow issue from Security Advisory APSA09-01 and Security Bulletin APSB09-03 (CVE-2009-0658)
Note: there are reports that this issue is being exploited

The Adobe Reader and Acrobat 9.1 and 7.1.1 updates resolve an input validation issue in a JavaScript method that could potentially lead to remote code execution. This issue has already been resolved in Adobe Reader 8.1.3 and Acrobat 8.1.3. (CVE-2009-0927)

The Adobe Reader 7.1.1 and Acrobat 7.1.1 updates resolve issues previously addressed in Adobe Reader and Acrobat 8.1.3 and later, and Adobe Reader and Acrobat 9 and later. (CVE-2008-4814, CVE-2008-4813, CVE-2008-2549)

Users may also monitor the latest information on the Adobe Product Security Incident Response Team blog at the following URL: http://blogs.adobe.com/psirt or by subscribing to the RSS feed here: http://blogs.adobe.com/psirt/atom.xml.

Acknowledgments

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers’ security:

Tenable Network Security reported through TippingPoint’s Zero Day Initiative ( CVE-2009-0927)
Thomas Garnier of SkyRecon Systems (CVE-2008-4814)
Peter Vreudegnhil reported through TippingPoint’s Zero Day Initiative (CVE-2008-4813)