Clearing some things up about Adobe - SANS Internet Storm Center

Clearing some things up about Adobe
The word “Adobe” conjures up a number of meanings here. When we get an email that mentions just “Adobe,” we fill in the blank with one of the following: Adobe the Company Adobe Acrobat Adobe Acrobat Reader Etc. This invariably leads to confusion. A similar confusion exists surrounding the recently reported Google incident (http://isc.sans.org/diary.html?storyid=7969) especially when Adobe released a similarly worded announcement: http://blogs.adobe.com/conversations/2010/01/adobe_investigates_corporate_n.html This led some folks (including me) to the conjecture that the attack involved the use of a malicious PDF file. I’ve seen examples where this group used malicious PDFs, but nobody provided an example of the PDF file used in THIS attack. Adobe’s (the company) ASSET security team released additional details yesterday (http://blogs.adobe.com/asset/2010/01/further_details_regarding_atta.html) where they assert that Adobe Acrobat Reader was not involved in the incident, that instead it was an IE vulnerability detailed here: http://siblog.mcafee.com/cto/operation-%E2%80%9Caurora%E2%80%9D-hit-google-others/ So, to recap: Adobe (the company) was attacked, but it wasn’t by leveraging an Adobe product. So let’s look instead at how their products ARE being used to compromise systems… The folks over at FireEye have a nice blog entry on PDF malware obfuscation and how it’s being used by the Neosploit exploit kit to distribute Mebroot: http://blog.fireeye.com/research/2010/01/pdf-obfuscation.html Fortunately CVE-2009-4324 has been patched. A little unsolicited feature request from Adobe for Acrobat Reader: take a gander at that little no-script add-on to Firefox. I understand that when I download an interactive PDF-form that it’s going to need some javascript to run. I just want to have an opportunity to click “no” when I get an unexpected PDF while browsing blogs. Kevin Liston kliston@isc.sans.org	Kevin Liston 292 Posts ISC Handler Jan 15th 2010
Thread locked Subscribe	Jan 15th 2010 1 decade ago
Thought it is good add while it is not related: Last update in Dec 09 for Adobe*, the certificate for the download executable to upgrade the vulenrable version was not valid! It appears it is now valid upto 11/04/2012.	Ramu 12 Posts
Quote	Jan 15th 2010 1 decade ago
One thing that makes it even MORE confusing is that the last version of "Adobe Acrobat Reader" was 5.1. Versions from 6.0 on have been officially known as "Adobe Reader" (no Acrobat in the name anywhere). Thus, if you're running Adobe Acrobat Reader, you're probably really in need of an update! So, the products are "Adobe Reader" (which displays PDF files) and "Adobe Acrobat" (in Standard, Professional, Professional Extended, etc. variants). One trick I use is to add a .REG file to the Run key in the registry that turns off JavaScript for Reader/Acrobat whenever a user logs on to the machine. If they access a PDF file that contains JavaScript, they'll get a pop-up asking to turn it on. It turns on JavaScript indefinitely, but they next time their machine gets rebooted JavaScript will get turned back off. It doesn't eliminate the problem (and most users won't think before turning it on, so it's mostly only valuable for aware users), but it does reduce the chances. Finally, one other note - if you use the USPS site to buy postage for packages, it will silently fail to print the label if you have JavaScript turned off. You have to turn it back on and restart your browser. Another workaround involves leaving JavaScript turned off and disabling the display of PDF files inside the browser (which forces the PDF file to open in the full Adobe Reader application instead of in a hidden IE window, and then it can be printed manually).	Anonymous
Quote	Jan 15th 2010 1 decade ago

The word “Adobe” conjures up a number of meanings here. When we get an email that mentions just “Adobe,” we fill in the blank with one of the following:

Adobe the Company
Adobe Acrobat
Adobe Acrobat Reader
Etc.

This invariably leads to confusion.

A similar confusion exists surrounding the recently reported Google incident (http://isc.sans.org/diary.html?storyid=7969) especially when Adobe released a similarly worded announcement: http://blogs.adobe.com/conversations/2010/01/adobe_investigates_corporate_n.html
This led some folks (including me) to the conjecture that the attack involved the use of a malicious PDF file. I’ve seen examples where this group used malicious PDFs, but nobody provided an example of the PDF file used in THIS attack. Adobe’s (the company) ASSET security team released additional details yesterday (http://blogs.adobe.com/asset/2010/01/further_details_regarding_atta.html) where they assert that Adobe Acrobat Reader was not involved in the incident, that instead it was an IE vulnerability detailed here: http://siblog.mcafee.com/cto/operation-%E2%80%9Caurora%E2%80%9D-hit-google-others/

So, to recap: Adobe (the company) was attacked, but it wasn’t by leveraging an Adobe product.

So let’s look instead at how their products ARE being used to compromise systems…

The folks over at FireEye have a nice blog entry on PDF malware obfuscation and how it’s being used by the Neosploit exploit kit to distribute Mebroot: http://blog.fireeye.com/research/2010/01/pdf-obfuscation.html

Fortunately CVE-2009-4324 has been patched.

A little unsolicited feature request from Adobe for Acrobat Reader: take a gander at that little no-script add-on to Firefox. I understand that when I download an interactive PDF-form that it’s going to need some javascript to run. I just want to have an opportunity to click “no” when I get an unexpected PDF while browsing blogs.

Kevin Liston

kliston@isc.sans.org

Kevin Liston

292 Posts
ISC Handler

Jan 15th 2010

Thought it is good add while it is not related: Last update in Dec 09 for Adobe*, the certificate for the download executable to upgrade the vulenrable version was not valid! It appears it is now valid upto 11/04/2012.

Ramu

12 Posts

One thing that makes it even MORE confusing is that the last version of "Adobe Acrobat Reader" was 5.1. Versions from 6.0 on have been officially known as "Adobe Reader" (no Acrobat in the name anywhere). Thus, if you're running Adobe Acrobat Reader, you're probably really in need of an update!

So, the products are "Adobe Reader" (which displays PDF files) and "Adobe Acrobat" (in Standard, Professional, Professional Extended, etc. variants).

One trick I use is to add a .REG file to the Run key in the registry that turns off JavaScript for Reader/Acrobat whenever a user logs on to the machine. If they access a PDF file that contains JavaScript, they'll get a pop-up asking to turn it on. It turns on JavaScript indefinitely, but they next time their machine gets rebooted JavaScript will get turned back off. It doesn't eliminate the problem (and most users won't think before turning it on, so it's mostly only valuable for aware users), but it does reduce the chances. Finally, one other note - if you use the USPS site to buy postage for packages, it will silently fail to print the label if you have JavaScript turned off. You have to turn it back on and restart your browser. Another workaround involves leaving JavaScript turned off and disabling the display of PDF files inside the browser (which forces the PDF file to open in the full Adobe Reader application instead of in a hidden IE window, and then it can be printed manually).

Anonymous