Posts Tagged ‘Adobe’

View All Vulnerabilities

A new Adobe 0-day In the Wild – – But No Worries, You are Already Protected with Our Secure Web Gateway!

By Anat Davidi  •  December 7th, 2011  •   Vulnerabilities

Yesterday Adobe released an advisory for a vulnerability in the Adobe Reader and Adobe Acrobat products. The vulnerability, titled ‘U3D Memory Corruption Vulnerability’ was part of a targeted attack and discovered by Lockheed Martin’s Computer Incident Response Team. This is not the first time a targeted attack has been aimed at the US defense industry.

This attack involves embedding a maliciously crafted Universal 3D (U3D) stream in a PDF file, one of several examples of attacks on embedded streams within PDF files, and represents a growing attack vector due to its ability to deal with defense mechanisms among which DEP and ASLR (two techniques meant to help prevent unauthorized code execution) using known techniques such as JIT Spraying.

According to Adobe’s blog post released alongside the advisory, Adobe is planning to release an update for Adobe Reader 9, the version targeted by this vulnerability, “no later than the week of December 12, 2011″. The rest of its supported versions will receive updates as part of their quarterly updates in January 2012.

M86 Secure Web Gateway, version 9.2 and above, provides zero-day protection against this attack, without requiring any further updates. Customers who wish to monitor the attack in their organization may look for attacks that are tagged with the “Adobe Universal 3D streams” block message.

We’re proud that our proactive rules block this new zero-day exploit and we’ll continue to work hard to provide this level of protection to our customers in the future.

Tags:    |    |    |    |    |    |  

View All Spam

Your Music Order – a loaded PDF

By Phil Hay  •  March 31st, 2011  •   Spam

We are noticing a spam campaign at the moment that purports to be a Music or Cell Phone “Order” with an attached PDF file with the following similar Subject lines:

  • Your Order No 129589 – Warner Music Inc.
  • Your Order No 489889 – Cell Phone Inc.

The attached PDF contains a bunch of obfuscated JavaScript, which attempts to exploit the Adobe getIcon vulnerability (CVE-2009-0927).  If successful, the following payload is downloaded:


The 1.php file is an executable downloader (VirusTotal Report).  Another piece of malware is then downloaded and installed (VirusTotal Report), which is a spambot that proceeds to spam further copies of the PDF file, as you can see from the template we captured:

These days, PDF files arriving in unexpected emails should be treated with extreme suspicion.  And please be sure to keep your PDF reader meticulously up to date to avoid getting exploited by old vulnerabilities such as this.

Tags:    |    |    |    |    |  

View All Spam

PDF Exploit Disguised as a Xerox Scanned Document

By Rodel Mendrez  •  February 7th, 2011  •   Spam

Most office network printers and scanners have a feature that sends scanned documents over email. Cyber crooks however, have imitated email templates used by these devices for malicious purposes. This week we noticed a malicious spam email that purports to be a scanned document sent using a Xerox WorkCentre Pro scanner.

Read More

Tags:    |    |    |    |    |  

View All Malware

Don’t Pay Your Taxes

By Gavin Neale  •  December 5th, 2010  •   Malware

Or at least try to ensure that your money doesn’t end up in the hands of criminals using the Zeus crimeware kit, which could happen if you fall for this latest malicious email campaign targeting tax payers. The emails are being sent from one of the Pushdo/Cutwail botnets and the campaign is very similar to the EFTPS one we previously blogged about. The main difference is the use of legitimate hacked websites and a range of exploits targeting vulnerabilities in client side software such as Java and Adobe PDF readers.

The malicious email claims that your tax payment has been rejected and provides a link for you to check your information:

The link in the email, which appears to go to, actually goes to one of many web pages which have been uploaded to hacked web servers. The pages contain the obfuscated JavaScript shown below:

All of this script has the effect of adding just one new  line of JavaScript to the current page: location.replace(“http://[removed]”). This code tells the browser to browse to a new URL that is hosting the SEO exploit kit which contains the  JavaScript below.

This JavaScript determines if Java (Oracle Java, not JavaScript) is enabled and then redirects the browser again to the page rotator.php on the same server. Rotator.php contains exploits for four Java vulnerabilities and prompts you to download and open the file asshole.pdf. This PDF file, when opened in Adobe Reader attempts to detect the version and then launch an appropriate exploit if the detected version is known to be vulnerable.

The end goal of all these redirects and exploits is to install the notorious Zeus crimeware bot onto the victim’s machine. This is the VirusTotal report for the Zeus sample we collected. Zeus is well known for helping criminals steal login credentials as victims’ browse their online bank accounts and to transfer money into accounts under the criminals’ control.

Tags:    |    |    |    |    |  

View All Spam

PDF Reader Upgrade Scam

By Gavin Neale  •  October 20th, 2010  •   Spam

Over the past few days our spam traps have been receiving emails that claim to be from Adobe notifying the recipient of a software upgrade for Adobe Acrobat reader. Links in the e-mails direct the recipient to a different product, PDF 2010, which you have  to pay for to download

We have seen these scam emails with the following subjects:

Action Required : Upgrade Your New PDF Acrobat Reader
Action Required : Download Your New Adobe Acrobat Reader
Action Required :Active Your New Adobe PDF Reader

Scam e-mail message

We have seen the following domains in similar messages:

adobe-software-upgrade . com

adobe-software-2010 . com

adobe-software-download . com

adobe-acrobat-software . com

adobe-acrobat-sofware . com

These domains all redirect to, shown below, which looks nothing like the Adobe Acrobat web page. In fact the scammer is just using Adobe’s brand to attract more customers.

Read More

Tags:    |    |    |    |  

View All Vulnerabilities

Don’t Get Infected By Zombies

By Gavin Neale  •  October 15th, 2010  •   Vulnerabilities

Today we had a peek inside an exploit kit known as the Zombie Infection Kit. This kit is not as widely used as some of the more popular kits such as Eleonore and Phoenix and compared to these other kits, Zombie is not really that sophisticated. However it does carry the usual range of exploits that have been effectively used in many other exploit tool kits. Potential victims are forced to visit Zombie’s exploit page when their browser loads an IFrame placed on a compromised website. All of the vulnerabilities exploited by this kit have been patched by the vendors concerned.

As well as exploiting an old vulnerability in IE 6 and the recent Windows help center vulnerability, the Zombie Infection Kit also uses exploits targeting two Java vulnerabilities, four vulnerabilities in Adobe PDF readers and two vulnerabilities in Adobe Flash.

Success rates for the various exploits use by the Zombie infection kit

According to the exploit statistics page in the admin control panel, the two most successful vulnerabilities are in Oracle’s Java, accounting for just over 60 percent of successful infections between them. Following closely behind the Java vulnerabilities is ‘PDF’ which is actually a PDF file containing exploits for four Adobe PDF vulnerabilities; the most recent of which (CVE-2009-4324) has been patched since December 2009.

Another stats page shows a breakdown of victims by browser type, showing the percentage of successful installs for each browser.

Victim browser statistics. The last column is the percentage of successfully infected victims.

This table isn’t really indicative of how secure each browser is, as only Internet Explorer is targeted for browser specific vulnerabilities whereas all browsers are used to target vulnerabilities in Adobe Flash and PDF readers, and Java.

What this does show is that 15 percent (15.39 in the top row of the browser stats image, above) of ‘visitors’ were successfully exploited by the Zombie Infection Kit and made to download a malicious executable. Because Java vulnerabilities accounted for 60 percent of infections, a surprising nine percent of all visitors were infected just by having an old version of java installed.

Java exploits are becoming increasingly useful for web attackers, as many people don’t even know that Java is installed on their machines, or that it may need to be updated. What is worse is that it is possible to have multiple versions of Java installed on a machine so you can still be vulnerable even after you install the latest version, giving you a false sense of security.

We strongly recommend users uninstall Java if they don’t use it, or remove old versions and upgrade to the latest version just released by Oracle which fixes 29 flaws in the previous version for which exploits have recently been published.

Tags:    |    |    |  

View All Vulnerabilities

Adobe Security Update for Flash Player

By Anonymous  •  September 20th, 2010  •   Vulnerabilities

Today, Adobe announced the release of a security update for its Flash Player software, which was originally scheduled for release on September 27th.  The update was moved up a week, as it addresses a critical vulnerability (CVE-2010-2884) in Flash Player, which has been seen in attacks in the wild.  This vulnerability impacts all versions of Flash, including Mac and Linux as well as Android, Google’s mobile operating system.

Running unpatched versions of software is one of the key vectors used in attacks in the wild today.  We strongly encourage our readers to update to the latest version of Adobe Flash Player (version, which can be obtained from the Adobe Flash Player Download Center.  An update has also been made available for Android users, which can be obtained through the Android Marketplace.

Tags:    |    |  

View All Vulnerabilities

Adobe releases PDF patch for Reader and Acrobat

By Anonymous  •  June 30th, 2010  •   Vulnerabilities

Adobe has released an update to its Adobe Reader and Adobe Acrobat products. These new releases are part of an accelerated quarterly update process. According to their Security Bulletin (APSB10-15), this release addresses 17 documented vulnerabilities.

One of the major vulnerabilities addressed in this release is the Launch file dialog warning (CVE-2010-1240). This vulnerability was discovered by security researcher, Didier Stevens and we observed this vulnerability being exploited in the wild in two separate campaigns.

Allowing your software to remain unpatched is a major issue. Therefore, we strongly encourage users to update to the latest version of Adobe Reader and Acrobat.

Tags:    |    |    |  

View All Spam

PDF ‘Launch’ Feature Used to Install Zeus

By Gavin Neale  •  April 15th, 2010  •   Spam

Today we began seeing emails, like the one shown below, claiming to be from Royal Mail with an attached PDF file.

This PDF uses a feature, specified in the PDF format, known as a Launch action. A Launch action is intended to be used to run an application or opening or printing a document. Recently it has been discovered by a security researcher that this feature can be used to run an executable embedded within the PDF file.

This PDF also contains an attachment (PDFs can have an attachment embedded within them, just like emails) named Royal_Mail_Delivery_Notice.pdf which has been compressed inside the PDF file. This attachment is actually an executable file and if run, will install the Zeus bot. The image below shows part of this attachment within the PDF file, the start of the executable file is shown decompressed, in the red box.

The PDF uses the JavaScript function exportDataOject, shown below, to save a copy of the attachment to the user’s PC.

When this PDF is opened In Adobe Reader with JavaScript enabled, the exportDataOject function causes a dialog box to be displayed asking the user to “Specify a file to extract to”. The default file is the name of the attachment, Royal_Mail_Delivery_Notice.pdf. This could be somewhat confusing to users, and not really knowing what is happening, they may just click save (It appears as if they are just saving a PDF file after all). Users of Foxit PDF reader will get no warning and the attachment will be saved to the users Documents folder.

Once the exportDataOject function has completed, the Launch action is run. The Launch action is used to execute the Windows command interpreter (cmd.exe) and is given a command line to execute.

This command line searches for the previously saved Royal_Mail_Delivery_Notice.pdf file in some commonly used folders such as My Documents and Desktop and then tries to run the file. (Remember that this is actually the executable file). Adobe Reader will pop up the box shown below and the command will only be run it the user clicks ‘Open’. The latest version of Foxit reader (released April 1st) will display a similar warning, older versions will go ahead and execute the command without asking.

If this command if successfully run, the Zeus data stealing bot is installed. Although having the latest versions of Foxit and Adobe reader will not protect you entirely from this feature, they do offer configuration settings and warnings before any program is launched. In Adobe reader you can disable the opening of non-PDF attachments using the trust manager in the preferences menu. You can also disable JavaScript in both readers to mitigate the impact of this and many other vulnerabilities.

MailMarshal users with the Block Executable rule enabled will be protected from PDF attachments with executable attachments. SpamCensor version 431 and KnownThreats version 26 both protect MailMarshal users from PDFs using this Launch action and Executable attachment feature.

Tags:    |    |    |  

View All Vulnerabilities

Finjan prevents 0-day exploit of Adobe Acrobat Reader and Flash player vulnerability

By Anonymous  •  July 23rd, 2009  •   Vulnerabilities

Finjan’s Malicious Code Research Center (MCRC) has detected yet another case of a 0-day attack “in the wild”. This time, hackers are exploiting a vulnerability (CVE-2009-1862) in Adobe Acrobat/Reader and Flash player. By exploiting this vulnerability, the hackers can download and execute malicious code on the victim’s PC. According to Adobe, an update will be available only on July 31, 2009; leaving end users’ PC in the mean time unprotected. 
As with the previous 0-day attacks we reported, Finjan’s unified Secure Web Gateway (SWG) successfully detected and prevented the attempt to exploit the vulnerability and to execute code. By utilizing its patented real-time content inspection technology, Finjan’s SWG proactively prevented the attack without any update. 
As discovered by the MCRC research, the attack is being used on compromised website containing a script tag that loads the exploit from a remote malicious server. The malicious script uses heap spray technique to load the attack Shellcode and than loads a malcrafted Flash file that triggers the vulnerability. 
Following is a code snippet of the malicious script: 
Another interesting aspect of this exploit is that the embedded Shellcode in the script loads an obfuscated executable. This simple obfuscation is done in order to evade detection by signature-based security products. The downloaded malicious executable creates a Trojan DLL named “wmimachine2.dll” and registers it as service on the victim’s PC. 
When posting the exploit on VirusTotal, we found that none of the 40 Anti-Virus products detected it as malicious. 
Posting the Malicious script ended with a similar result – no detection. 
Posting the Malicious flash file ended with the same result – no detection 
Posting the Obfuscated payload ended with the same result – no detection. 
When browsing to the compromised site serving the 0-day attack via Finjan’s unified secure web gateway, users are protected as can be seen below: 
Posted by Golan Yosef

Tags:    |    |    |    |    |