Adobe Reader/Acrobat Critical Vulnerability

Published: 2009-05-04
Last Updated: 2009-05-04 17:43:16 UTC
by Tom Liston (Version: 1)
1 comment(s)

A critical vulnerability has been discovered in the JavaScript handling within Adobe Reader and Acrobat versions 9.1 and earlier.  According to the announcement, Adobe expects to make available Windows updates for Adobe Reader versions 9.X, 8.X, and 7.X and Acrobat versions 9.X, 8.X, and 7.X, Macintosh updates for Adobe Reader versions 9.X and 8.X and Acrobat versions 9.X and 8.X, as well as Adobe Reader for Unix versions 9.X and 8.X, by May 12th, 2009.  Additionally, there is a second vulnerability specific to Adobe Reader for Unix that will be resolved by this update as well.

In the meantime, you can perform mitigation steps by disabling JavaScript in Reader and Acrobat:

  1. Launch Acrobat or Adobe Reader.
  2. Select Edit>Preferences
  3. Select the JavaScript Category
  4. Uncheck the ‘Enable Acrobat JavaScript’ option
  5. Click OK

Ref:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-1492
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-1493

Remember back when we used to tell people to PDF documents because it was safer than dealing with MS Office?

(Thanks to "roseman" for the tip...)

Tom Liston - InGuardians - Handler on Duty
 

1 comment(s)

Putting the ED _back_ in .EDU

Published: 2009-05-04
Last Updated: 2009-05-04 17:02:08 UTC
by Tom Liston (Version: 1)
0 comment(s)

The Internet is a wonderful thing.  Think of all the ways it has changed how we do things. Over the weekend, I needed to find some information on a particularly nasty weed we had growing in our woods.  Back in the day, it would have entailed a trip to the local library and a pretty good possibility of not finding anything at all.  Now, all I need is a little bit of Google-Fu, and I was able to find a web page with way more information on this plant than I ever wanted.

There are web pages out there for EVERYTHING (thus Rule #34), and at this point, pretty much anyone can stand up a website.  Take a course or two at the community college, shell out a few bucks for an "HTML for Dummies" book, and heck, you're a "web designer."

Therein lies the problem.

Knowing how to "design" a page o' dancing gerbils does not a secure site make. (<-- Note: while grammatically correct, like Yoda do I sound...) Once you've mastered the fine art of the <blink> tag, you need to actually check your site to make sure that one of the evil denizens of the 'net hasn't altered your masterpiece.

In the brilliant precursor to this sequel, I tried to point out a little bit o' Google-dorking that found some really interesting things on the sites of various institutions of higher learning.  This time around, I'll throw some .gov sites under the bus as well.

Try tossing the following query at big-G: "site:.edu filetype:html buy viagra"

Last time I did this, I didn't name names... but I'm older and more curmudgeonly now, so here is a cross-section of some of the .edu sites that made the "little blue pill" hit parade:

  • The Division of Social Sciences at UC Santa Cruz
  • The Space Systems Simulation Laboratory at Virginia Tech
  • Indiana University-Purdue University Fort Wayne
  • The University of Tennessee - Knoxville
  • The Biology Department (how fitting!) at the University of Central Florida
  • The University of Khartoum (ev1l h@x0rs don't just whack universities in the U.S.)
  • The Northern Marianas College (see...)
  • etc..., etc..., etc...

What's kinda' cool is that since Google takes some time to "forget," you can also see the folks who WERE whacked for long enough to get spidered by the Google bot, but have since cleaned things up.

And let's not forget our fine government.  Nothing makes a taxpayer more proud than to know that their government websites are flogging fixes for flagging phalluses (ain't the alliteration sweet?).  Head back to Google and search for: "site:.gov filetype:html order viagra online"

Let's see... who do we have here?

  • The City of Ingleside, Texas (and they say Virginia is for lovers...)
  • The Oklahoma House of Representatives (still not Virginia...)
  • Yadkin County, North Carolina (oh... really, REALLY close...)
  • The New Hampshire Police Standards & Training Council (hehehehe...)

So, if any of you happen to have some free time on your hands, give those Google queries a shot.  Play around with different combinations of words and different combinations of search constraints. Drop a nice, polite note to the folks in charge of the compromised sites and point out the issues... but don't be surprised if they get a bit ticked off at you: there is a long, time-honored tradition in the IT world of blaming the messenger...

So what's the deal here?  While I haven't had (and don't have) the time to do an in-depth investigation, my guess would be that these are a result of having a Content Management System (CMS) get "managed" by someone else, either through a weak password or through a vulnerability in the CMS itself (these things are notoriously buggy...) Generally these "additions" are housed in a <span> marked with "visibility:hidden," and so a cursory glance at the site shows nothing amiss.  If no one bothers to look at the actual code of the page, the altered pages can hang around forever-- making your university, unit of government, or business look pretty darned silly.

The moral of the story: CHECK YOUR SITE, MONITOR YOUR LOGS, THEN DO IT ALL OVER AGAIN. LATHER, RINSE, REPEAT.

Tom Liston - InGuardians, Inc. -Handler on Duty

Keywords:
0 comment(s)

Facebook phishing malware

Published: 2009-05-04
Last Updated: 2009-05-04 14:47:00 UTC
by Tom Liston (Version: 1)
1 comment(s)

Looks like there may be a piece of malware out there is sending out messages to folks on Facebook trying to trick them into visiting a facsimile "Facebook" login page to steal credentials.  The phishing site is currently on "junglemix.in," so you may want to block that site.  More details as we figure this thing out. (Thanks to Kent for the heads up!)

1 comment(s)

Comments

What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
https://defineprogramming.com/
https://defineprogramming.com/
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
Enter corthrthmment here...

Diary Archives