Обновления клиентских программ и безопасность

[Vinni]

с уязвимостью в Adobe оказалось еще интереснее. на самом деле она была обнаружена еще в октябре 2007 года(продана кем-то) iDefense, которая занимается скупкой уязвимостей и продажей этой информации пользователям своего сервиса. Официальная публикация об уязвимости происходит только через некоторое время, когда производитель выпускает патч против уязвимости (в нашем случае- через 4 месяца) :smile14:

и видимо кто-то из подписчиков idefense использовал эту информацию "по назначению" - 20 января появился эксплойт, который грузил трояна Zonebac. Видимо, только после этого Adobe решила выпустить обновление... :smile10: Искаженный PDF-файл с трояном по состоянию на 9 февраля никем из антивирусов не распознавался...

 

 

_ttp://isc.sans.org/diary.html?n&storyid=3958

Adobe Reader exploit in the wild

Published: 2008-02-09,

Last Updated: 2008-02-09 13:37:39 UTC

by Raul Siles (Version: 3)

 

The Adobe Reader vulnerability (see previous ISC post - CVE-2008-0655) is being exploited in the wild! A malicious PDF file (called 1.pdf in this example) served from IP address "85.17.221.2" (not active at this time) contains a malware specimen called Trojan, a variant of Zonebac. The IP address belongs to LeaseWeb, a hosting provider in The Netherlands we already notified.

 

The first and only public report (till now) is available from an Italian Forum (original post in Italian), and was posted on January, 20. See image here (from the original forum post) for more file details. (See a better translation in UPDATE 2 below.)

 

If you see other incidents exploiting this, please, let us know.

 

UPDATE 1

 

VeriSign - iDefense sent us some additional information. Here is what they told us:

 

VeriSign - iDefense is observing exploitation of a recently patched vulnerability in Adobe Acrobat Reader. This vulnerability was discovered by Greg McManus of iDefense Labs and reported to Adobe in October 2007.

 

Since January 20, 2008 banner ads are actively serving malicious PDF files that exploit the vulnerability and install the Zonebac Trojan. Once installed the Trojan kills various anti-virus products and modifies search results and banner ads.

 

Until 2 days ago, this attack did not have a patch available while being actively exploited in the wild. A similar attack occurred in October 2007 when the same group used a Realplayer 0-day exploit to install the Zonebac Trojan.

 

No anti-virus vendors currently detect the malicious PDF files though we have provided samples to all. This type of exploit works for both web browser and email attack vectors. Exploitation affects all 7.x versions of Adobe Acrobat Reader and versions prior to 8.1.2. Complete mitigation requires upgrading to Adobe Acrobat 8.1.2.

 

Vulnerability Timeline:

 

* Adobe Reader Buffer Overflow Vulnerability (iDefense orig.) (ID#464641, Oct. 10, 2007)

 

* Virus Report (http://www.pcprimipassi.it/servizifree/forum/forum_posts.asp?TID=10066, Jan. 20, 2008)

 

* Adobe Acrobat 8.1 Undisclosed Buffer Overflow Vulnerability (ID#467355, Feb. 6, 2008)

 

* Immunity POC Exploit (http://www.immunityinc.com/partners-index.shtml, Feb. 6, 2008)

 

* Adobe Reader Vulnerability Exploitation in the Wild (ID#467384, Feb. 8, 2008)

 

* Adobe Security Advisory APSA08-01 (http://www.adobe.com/support/security/advisories/apsa08-01.html, Feb. 7, 2008)

 

* iDefense Receives Hostile PDF Sample (Feb. 7, 2008)

 

* iDefense Customer Notification (ID#467398, Feb. 8, 2008)

 

Additional details:

 

1c130a41aa6866bc081cf096bbd08da3 1.pdf

68b804a8463c9261b991f1c92e05f801 b.pdf

 

The Zonebac trojan communicates with the following URLs:

 

A.doginhispen.com

B.skitodayplease.com

 

We ran "1.pdf" through VirusTotal and got these results (0/32). Pretty scary!

 

UPDATE 2

 

Lou Giannelli wrote to tell us that the translation we linked to above totally sucks. So he offered to provide a much better version:

 

Hi, this morning I found myself cleaning three PC infected with a Trojan (a variant of Zonebac) that is not currently detected by the AV (an exclusivity, but at the same time, an old acquaintance). I take this opportunity to greet the staff of Libero. On all 3 PC, in the history there was the following IP at the time of the infection.

85.17.221.2

 

And among the temporary files, I found the following files (at the time of the infection).

Therefore, if you use IE and find this IP in the history, you have been infected by this Trojan. (it would be prudent to restrict this IP..)

 

I don’t want to name the involved portals, but for the time being I’ll watch the portals I suspect, expecting to be infected … (in fact, the infection takes place in a casual manner, perhaps through the banner)

 

I’ll inform the owner of the IP that such IP is hosting malware, and I’ll submit the infected files to AV vendors (so they can update their virus definitions) … and report this to the proper authorities (considering how expensive it is for those using dial-up connectivity).

 

Above all, a direct restriction to the portal hosting the virus is useless… considering the behavior in past similar cases. Bye, and keep your eyes peeled!

 

The truth will set you free.

[Vinni]

в очередном бюллетене SANS приводится список программ, с помощью которых можно проверить отсутствие критических обновлений на компьютере (мне больше всего понравился Secunia PSI, хотя и у него есть проблемы :smile3: )

 

Last week we pointed out multiple vulnerabilities in commonly used client software. Several readers replied to my request asking for tools used to update third-party software, and the most recommended tool for Windows is Secunia PSI (Personal Software Inspector), still in Release Candidate (RC-1) state, for personal use only (they also have a commercial version).

 

Other options are UpdateStar (Windows), SUMo - Software Update Monitor (Windows), VersionTracker [Pro] (Mac and Windows), RadarSync (Windows), UDC - UpdateChecker (Windows), Belarc Advisor (Windows), and App Update Widget (Mac). For Linux you are pretty much tied to the software package manager of the distribution you like to use. I strongly encourage you to evaluate the best tool that meets your needs.

 

Thanks to all the readers for submitting their suggestions!

 

I honestly think this is something we need to take very seriously, as most malware and attacks today (targeted, botnets, etc) are focused on the clients, exploiting OS and third-party software vulnerabilities (plus social engineering). The two sides of the coin are:

 

* Corporate environments (not covered by this post) that frequently (in my own experience) present disheartening scenarios, having vulnerable outdated systems without patches for several months.

* Small organization, SOHO environments, independent professionals, end users, etc. We need to find solutions to deal with all the frequent security updates and simplify the user's software update life.

 

I've been testing Secunia PSI in a few computers recently and I got a good first impression. The tool scans the system and detects not only vulnerable installed software but remnant installations that still could lay around on the file system. It is focused on outdated vulnerable third-party software - just from a security perspective. Additionally, it can detect small pieces of software that do not appear in the "Add and Remove Programs" list, such as the Adobe Flash Player Plugin and ActiveX components. My main concern about this tool (shared by Kelvin too) is that the data about your installed applications is sent to Secunia to match it against their File Signatures engine, as they state on their website. The impact of someone getting access to all that information is pretty serious.

 

No matter what process (even manual if it works for you) or tool you use, all your installed software must be updated in a timely fashion! I know you are aware of it, but some responses to my request came from outdated vulnerable browser versions. Blame on my as well, as the software update checks not always work as expected. More about this is a near future post...

[Vinni]

 

в последнем бюллетене SecurityTracker прошла инфорация об уязвимостях в Java, которые приводят к тому, что либо специальный апплет либо специальный Javascript в Firefox2 позволит сделать то же :smile2:

Для устранения уязвимостей надо использовать

1) Firefox не ниже, чем 2.0.10

2) SDK, JDK и JRE:

- 6 Update 5 или выше

- 5.0 Update 15 или выше

- 1.4.2_17 и выше

 

Как обновлять FF2, все знают. Обновлять Java тоже просто - зайти в "Панель управления"/Java/Update/"Update now"

 

 

7. Java Runtime Environment (JRE)

 

Vendor: Sun

 

Two vulnerabilities were reported in the JRE Virtual Machine.

A remote user can access files on the target user's system. A

remote user can cause arbitrary applications on the target user's

system to be executed.

 

Impact: Disclosure of system information

 

Alert: http://securitytracker.com/alerts/2008/Mar/1019555.html

 

 

9. Java Runtime Environment (JRE)

 

Vendor: Sun

 

A vulnerability was reported in Java. A remote user can

connect to network resources via the target user's system.

 

Impact: Host/resource access via network

 

Alert: http://securitytracker.com/alerts/2008/Mar/1019553.html

 

 

10. Java Web Start

 

Vendor: Sun

 

A vulnerability was reported in Java Web Start. A remote user

can cause arbitrary code to be executed on the target user's system.

 

Impact: Disclosure of system information

 

Alert: http://securitytracker.com/alerts/2008/Mar/1019552.html

 

 

11. Java Runtime Environment (JRE)

 

Vendor: Sun

 

A vulnerability was reported in Java. A remote user can access

files on the target user's system. A remote user can cause

arbitrary applications on the target user's system to be executed.

 

Impact: Disclosure of system information

 

Alert: http://securitytracker.com/alerts/2008/Mar/1019551.html

 

 

12. Java Plug-in

 

Vendor: Sun

 

A vulnerability was reported in the Java Plug-in. A remote

user can cause arbitrary applications on the target user's system

to be executed.

 

Impact: Execution of arbitrary code via network

 

Alert: http://securitytracker.com/alerts/2008/Mar/1019550.html

 

 

13. Java Web Start

 

Vendor: Sun

 

Several vulnerabilities were reported in Java Web Start. A

remote user can access files on the target user's system. A remote

user can cause arbitrary applications on the target user's system

to be executed.

 

Impact: Disclosure of system information

 

Alert: http://securitytracker.com/alerts/2008/Mar/1019549.html

 

 

14. Java Runtime Environment (JRE)

 

Vendor: Sun

 

A vulnerability was reported in Java. A remote user can cause

arbitrary code to be executed on the target user's system.

 

Impact: Execution of arbitrary code via network

 

Alert: http://securitytracker.com/alerts/2008/Mar/1019548.html

 

[Vinni]

еще информация - уязвимость в RealPlayer, которой можно воспользоваться через его ActiveX в браузере, для которой нет патча, а только временное решение

 

_ttp://isc.sans.org/diary.html?n&storyid=4120

Real player is probably installed on many of your computers, and an exploit for an unpatched vulnerability was made public on the full-disclosure mailing list.

 

As a result, those using ActiveX capable browsers (read: MSIE) are vulnerable to attack, with no patch on the horizon yet.

 

Workarounds:

 

* Set killbits for:

rmoc3260.dll version 6.0.10.45

{2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93}

{CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA}

But this will also remove the genuine functionality of the player.

* Use a browser that doesn't support ActiveX (there's plenty of those).

[Vinni]

напоминаю, что пришел очередной "черный вторник" - надо запустить агента обновления Microsoft (а еще лучше MBSA) и установить обновления, так как согласно http://isc.sans.org/diary.html?n&storyid=4124 есть ряд уязвимостей, позволяющих организовать выполнение произвольной программы:

1) группа уязвимостей в excel, одна из которых уже используется хакерами

2) уязвимость в OutLook

3) уязвимость в Office