Adobe Acrobat 0-Day On The Loose

More Info here >
<http://www.dslreports.com/forum/r21944841-Adobe-Acrobat-0Day-On-The-Loose>
<http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090219>

This 0-day exploit targets *all* builds of Adobe Reader, et alia.

Silj

--
"Arguing with anonymous strangers on the Internet is a sucker's game
because they almost always turn out to be -- or to be indistinguishable from
-- self-righteous sixteen-year-olds possessing infinite amounts of free time."
- Neil Stephenson, _Cryptonomicon_

siljaline wrote:

>More Info here >
><http://www.dslreports.com/forum/r21944841-Adobe-Acrobat-0Day-On-The-Loose>
><http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090219>
>
>This 0-day exploit targets *all* builds of Adobe Reader, et alia.
>
>Silj

To save people from having to load a web browser, when they only want
to use a newsreader, here is the meat of the exploit from the
Shadowserver.org site.

"The malicious PDF's in the wild exploit a vulnerability in a
non-JavaScript function call. However, they do use some JavaScript to
implement a heap spray for successful code execution. The malicious
PDF's in the wild contain JavaScript that is used to fill the heap
with shellcode. Since this exploit relies on both JavaScript and
non-JavaScript components there are some potential reliability issues
which has led to confusion over which platforms are affected.
Testing of the exploit with XP SP3 using Adobe Reader 8.1.1, 8.1.2,
8.1.3 and 9.0.0 shows that the vulnerability results in code execution
on all of them. There may be cases where Adobe Reader crashes without
code execution, especially on systems with more physical memory and
faster processors. This is likely due to the race condition needed to
populate the heap before certain data structures are parsed by Reader.
The exploit can be effectively mitigated by disabling JavaScript. In
this scenario Adobe will still crash but the required heap spray will
not occur and code execution is not possible. There may be a method
for populating the heap with the necessary shellcode without
JavaScript, however if such a technique exists I am not aware of it.
As a general rule I like the idea of both disabling JavaScript in
Adobe Reader and also flagging PDF documents containing JavaScript at
perimeter devices."
-- Matt Richard

http://www.shadowserver.org/wiki/pmw...endar.20090219

Andy Walker wrote:
<snip>

> To save people from having to load a web browser, when they only want
> to use a newsreader, here is the meat of the exploit from the
> Shadowserver.org site.

</snip>

Point taken.

Silj


--
"Arguing with anonymous strangers on the Internet is a sucker's game
because they almost always turn out to be -- or to be indistinguishable from
-- self-righteous sixteen-year-olds possessing infinite amounts of free time."
- Neil Stephenson, _Cryptonomicon_

From: "siljaline" <spam@uce.gov>

| More Info here >
| <http://www.dslreports.com/forum/r21944841-Adobe-Acrobat-0Day-On-The-Loose>
| <http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090219>

| This 0-day exploit targets *all* builds of Adobe Reader, et alia.

| Silj


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

US-CERT Current Activity

Adobe Releases Security Bulletin for Critical Vulnerability

Original release date: February 20, 2009 at 11:20 am Last revised:
February 20, 2009 at 1:51 pm


Adobe has released a Security Bulletin to alert users of a vulnerability
in Adobe Reader and Acrobat. This vulnerability may allow an attacker to
execute arbitrary code or cause a denial-of-service condition. Adobe
indicates that it has received reports of active exploitation.

US-CERT encourages users to take the following actions to help mitigate
the risks:
* Review Adobe Security Bulletin APSA09-01.
* Review US-CERT Vulnerability Note VU#905281.
* Disable JavaScript in Adobe Reader and Acrobat. Acrobat JavaScript
can be disabled in the General preferences dialog (Edit,
Preferences, JavaScript, and un-check "Enable Acrobat
JavaScript").
* Prevent Internet Explorer from automatically opening PDF
documents.
* Disable the displaying of PDF documents in the web browser. This
can be disabled in the the General preferences dialog (Edit,
Preferences, Internet, and un-check "Display PDF in browser").
* Use caution when opening untrusted PDF files.
* Install antivirus software, and keep virus signatures up to date.

US-CERT will provide additional information as it becomes available.

Relevant Url(s):
< http://www.kb.cert.org/vuls/id/905281 >

< http://www.adobe.com/support/securit...apsa09-01.html >

====
This entry is available at
http://www.us-cert.gov/current/index..._bulletin_for1

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBSZ78bnIHljM+H4irAQL3Dwf/V8bYc+olOdHF5LmUCN/27xtFo4nSnufC
bl5QHwUNgAsg2TbDHDpcvpR6J+bjbaWsPPYfGK1Ug06d/sGTq9Kfl4SviV/jcwD1
GJqtey1LipfUcAmlU78T9rIf1TiIg3hDldj8Zzff/EyaNG+wUb6+1TpXmw+npi6n
8lBzmhhVQ04RNk/eylDlFrXON8+oySDOUdmpPkfK9RU5uQSD35O4W81leESo48s/
YbWVXT7Y0ki+wdc8hTonk6beBLP/AFtuTOzDzN0DEql2Q99V1yKRdd6/XCZEwcKt
HA/CGb38Iq8niq1zluLRIWhL4zQqEzUddbBGLiYgPLGZ9nH5satYK Q==
=nPD9
-----END PGP SIGNATURE-----
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

David H. Lipman wrote:
> From: "siljaline" <spam@uce.gov>
>
> | More Info here >
> | <http://www.dslreports.com/forum/r21944841-Adobe-Acrobat-0Day-On-The-Loose>
> | <http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090219>
>
> | This 0-day exploit targets *all* builds of Adobe Reader, et alia.
>
> | Silj
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> US-CERT Current Activity
>
> Adobe Releases Security Bulletin for Critical Vulnerability
>
> Original release date: February 20, 2009 at 11:20 am Last revised:
> February 20, 2009 at 1:51 pm
>
>
> Adobe has released a Security Bulletin to alert users of a vulnerability
> in Adobe Reader and Acrobat. This vulnerability may allow an attacker to
> execute arbitrary code or cause a denial-of-service condition. Adobe
> indicates that it has received reports of active exploitation.
>
> US-CERT encourages users to take the following actions to help mitigate
> the risks:
> * Review Adobe Security Bulletin APSA09-01.
> * Review US-CERT Vulnerability Note VU#905281.
> * Disable JavaScript in Adobe Reader and Acrobat. Acrobat JavaScript
> can be disabled in the General preferences dialog (Edit,
> Preferences, JavaScript, and un-check "Enable Acrobat
> JavaScript").
> * Prevent Internet Explorer from automatically opening PDF
> documents.
> * Disable the displaying of PDF documents in the web browser. This
> can be disabled in the the General preferences dialog (Edit,
> Preferences, Internet, and un-check "Display PDF in browser").
> * Use caution when opening untrusted PDF files.
> * Install antivirus software, and keep virus signatures up to date.
>
> US-CERT will provide additional information as it becomes available.
>
> Relevant Url(s):
> < http://www.kb.cert.org/vuls/id/905281 >
>
> < http://www.adobe.com/support/securit...apsa09-01.html >
>
> ====
> This entry is available at
> http://www.us-cert.gov/current/index..._bulletin_for1

<snip>

Thanks, Dave !

Also see: >
<quote>
Adobe Reader/Acrobat Unspecified Buffer Overflow Vulnerability
Secunia Advisory: SA33901
Description:
A vulnerability has been reported in Adobe Reader/Acrobat, which can be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to an unspecified error and can be exploited to cause a buffer overflow. No further information is available.
Successful exploitation allows execution of arbitrary code.
NOTE: Reportedly, the vulnerability is currently being actively exploited.
</quote>
<http://secunia.com/advisories/33901/>

Silj

--
"Arguing with anonymous strangers on the Internet is a sucker's game
because they almost always turn out to be -- or to be indistinguishable from
-- self-righteous sixteen-year-olds possessing infinite amounts of free time."
- Neil Stephenson, _Cryptonomicon_

siljaline wrote:
> Andy Walker wrote:
> <snip>
>
>> To save people from having to load a web browser, when they only want
>> to use a newsreader, here is the meat of the exploit from the
>> Shadowserver.org site.
>
> </snip>
>
> Point taken.
>
> Silj
>
>

Post all the links you want. You're very helpful. Sometimes a person got
to open their web browser. ;-)

Thanks!

--
JD..

David H. Lipman wrote:
> From: "siljaline" <spam@uce.gov>
>
> | More Info here >
> | <http://www.dslreports.com/forum/r21944841-Adobe-Acrobat-0Day-On-The-Loose>
> | <http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090219>
>
> | This 0-day exploit targets *all* builds of Adobe Reader, et alia.
>
> | Silj
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> US-CERT Current Activity
>
> Adobe Releases Security Bulletin for Critical Vulnerability
>
> Original release date: February 20, 2009 at 11:20 am Last revised:
> February 20, 2009 at 1:51 pm
>
>
> Adobe has released a Security Bulletin to alert users of a vulnerability
> in Adobe Reader and Acrobat. This vulnerability may allow an attacker to
> execute arbitrary code or cause a denial-of-service condition. Adobe
> indicates that it has received reports of active exploitation.
>
> US-CERT encourages users to take the following actions to help mitigate
> the risks:
> * Review Adobe Security Bulletin APSA09-01.
> * Review US-CERT Vulnerability Note VU#905281.
> * Disable JavaScript in Adobe Reader and Acrobat. Acrobat JavaScript
> can be disabled in the General preferences dialog (Edit,
> Preferences, JavaScript, and un-check "Enable Acrobat
> JavaScript").
> * Prevent Internet Explorer from automatically opening PDF
> documents.
> * Disable the displaying of PDF documents in the web browser. This
> can be disabled in the the General preferences dialog (Edit,
> Preferences, Internet, and un-check "Display PDF in browser").
> * Use caution when opening untrusted PDF files.
> * Install antivirus software, and keep virus signatures up to date.
>
> US-CERT will provide additional information as it becomes available.
>
> Relevant Url(s):
> < http://www.kb.cert.org/vuls/id/905281 >
>
> < http://www.adobe.com/support/securit...apsa09-01.html >
>
> ====
> This entry is available at
> http://www.us-cert.gov/current/index..._bulletin_for1
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (GNU/Linux)
>
> iQEVAwUBSZ78bnIHljM+H4irAQL3Dwf/V8bYc+olOdHF5LmUCN/27xtFo4nSnufC
> bl5QHwUNgAsg2TbDHDpcvpR6J+bjbaWsPPYfGK1Ug06d/sGTq9Kfl4SviV/jcwD1
> GJqtey1LipfUcAmlU78T9rIf1TiIg3hDldj8Zzff/EyaNG+wUb6+1TpXmw+npi6n
> 8lBzmhhVQ04RNk/eylDlFrXON8+oySDOUdmpPkfK9RU5uQSD35O4W81leESo48s/
> YbWVXT7Y0ki+wdc8hTonk6beBLP/AFtuTOzDzN0DEql2Q99V1yKRdd6/XCZEwcKt
> HA/CGb38Iq8niq1zluLRIWhL4zQqEzUddbBGLiYgPLGZ9nH5satYK Q==
> =nPD9
> -----END PGP SIGNATURE-----

Thanks Dave!

--
JD..

Andy Walker <awalker@nspank.invalid> wrote in
news:499f3f98.152487609@news.webtv.com:

> siljaline wrote:
>
>>More Info here >
>><http://www.dslreports.com/forum/r219...0Day-On-The-Lo
>>ose> <http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090219>
>>
>>This 0-day exploit targets *all* builds of Adobe Reader, et alia.
>>
>>Silj
>
> To save people from having to load a web browser, when they only want
> to use a newsreader, here is the meat of the exploit from the
> Shadowserver.org site.
>
> "The malicious PDF's in the wild exploit a vulnerability in a
> non-JavaScript function call. However, they do use some JavaScript to
> implement a heap spray for successful code execution. The malicious
> PDF's in the wild contain JavaScript that is used to fill the heap
> with shellcode. Since this exploit relies on both JavaScript and
> non-JavaScript components there are some potential reliability issues
> which has led to confusion over which platforms are affected.
> Testing of the exploit with XP SP3 using Adobe Reader 8.1.1, 8.1.2,
> 8.1.3 and 9.0.0 shows that the vulnerability results in code execution
> on all of them. There may be cases where Adobe Reader crashes without
> code execution, especially on systems with more physical memory and
> faster processors. This is likely due to the race condition needed to
> populate the heap before certain data structures are parsed by Reader.
> The exploit can be effectively mitigated by disabling JavaScript. In
> this scenario Adobe will still crash but the required heap spray will
> not occur and code execution is not possible. There may be a method
> for populating the heap with the necessary shellcode without
> JavaScript, however if such a technique exists I am not aware of it.
> As a general rule I like the idea of both disabling JavaScript in
> Adobe Reader and also flagging PDF documents containing JavaScript at
> perimeter devices."
> -- Matt Richard
>
> http://www.shadowserver.org/wiki/pmw...endar.20090219
>

Another reason to do surfing in a vm, or use sandboxie. That way if
something goes wrong, it's contained.


--
Regards,
Dustin Cook
Malware Researcher
MalwareBytes - http://www.malwarebytes.org