Archive | July, 2010

Metasploit Framework 3.4.1 Released – 16 New Exploits, 22 Modules & 11 Meterpreter Scripts

Find your website's Achilles' Heel


The Metasploit Project is proud to announce the release of the Metasploit Framework version 3.4.1. This release sees the first official non-Windows Meterpreter payload, in PHP as discussed last month here.

Rest assured that more is in store for Meterpreter on other platforms. A new extension called Railgun is now integrated into Meterpreter courtesy of Patrick HVE, giving you scriptable access to Windows APIs and an unprecedented amount of control over post-exploitation.

For those of you wishing to contribute to the framework, a new file called HACKING has been introduced that lays out a few guidelines to make it easier.

This release contains 16 new exploits, 22 new auxiliary modules and 11 new Meterpreter scripts for your pwning enjoyment. The major changes in terms of numbers were:

  • 567 exploits and 283 auxiliary modules (up from 551 and 261 in v3.4)
  • Over 40 community reported bugs were fixed and numerous interfaces were improved

For more in-depth information about this release, see the 3.4.1 release notes here:

Metasploit 3.4.1 Release Notes

You can download Metasploit 3.4.1 here:

Windows – framework-3.4.1.exe
Linux (32-Bit) – framework-3.4.1-linux-i686.run

Or read more here.


Posted in: Exploits/Vulnerabilities, Hacking Tools, Linux Hacking, Windows Hacking

Tags: , , , , , , , , , , , , , , , , , , , , ,

Posted in: Exploits/Vulnerabilities, Hacking Tools, Linux Hacking, Windows Hacking | Add a Comment
Recent in Exploits/Vulnerabilities:
- Shadow Brokers NSA Hack Leaks 0-day Vulnerabilities
- Pompem – Exploit & Vulnerability Finder
- Bug Bounties Reaching $500,000 For iOS Exploits

Related Posts:

Most Read in Exploits/Vulnerabilities:
- Learn to use Metasploit – Tutorials, Docs & Videos - 235,446 views
- AJAX: Is your application secure enough? - 120,207 views
- eEye Launches 0-Day Exploit Tracker - 85,650 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


Sunbelt Software Bought By GFI For An Undisclosed Sum

Your website & network are Hackable


Looks like this is the way business is heading, especially in the software sector. As led by the giants Microsoft, acquisition is the way to get new and innovative software without having to produce it yourself!

Sunbelt Blog is one of the few we actually link to in the sidebar and also read regularly.

They always have some interesting and generally fairly technical analysis of malware attacks and other intrusions.

Mail security and software utilties company GFI Software has bought independent US antivirus company Sunbelt Software for an undisclosed sum.

GFI already offers a range of security products that use third-party antivirus engines from companies such as Kaspersky and BitDefender to make up the scanning element of its mostly SME-oriented products such as the GFI MailDefense suite. The Sunbelt Software buy gives the company access to an antivirus engine of its own for the first time.

GFI will now integrate Sunbelt’s heavily revised ‘Vipre’ detection technology across the range of its own products. The software has a good reputation for innovation and was rewritten from the ground up just over a year ago.

“We were impressed by the high quality and innovative technology that underlies Sunbelt’s Vipre line of products and immediately saw strong synergies between the two companies,” said GFI CEO, Walter Scott.

Both GFI and Sunbelt have some great software and services so I’d say this is a good integration for the industry. Plus it will give Sunbelt a lot more resources to develop it’s Vipre product and can probably make some improvements to GFI LANGuard too.

GFI will also get its hands on a malware detection engine that is already licensed to third-parties, generating standalone revenue of its own. Increasingly, merely selling antivirus and anti-malware is only one part of a business that depends on third-party licensing to stay afloat.

Sunbelt also has a distribution business, which is not part of the sale and will remain a separate entity, GFI said.

Smaller, independent antivirus companies selling out has been a steady trend, and is set to continue. The cash needed to keep development and marketing on track is getting harder to sustain at a time when free antivirus from Microsoft and others is taking away sales.

And the article raises an important point too, with Microsoft pushing out more and more free anti-virus and anti-malware solutions plus a lot of other free software becoming more visible (products like Avast and Avira are free for home use) it’s making it harder for anti-virus software developers to make a living.

That’s why being acquired by a larger company with a wider range of products and services can help a lot.

Source: Network World


Posted in: General News, Malware

Tags: , , , , , , , ,

Posted in: General News, Malware | Add a Comment
Recent in General News:
- Teen Accused Of Hacking School To Change Grades
- Google’s Chrome Apps – Are They Worth The Risk?
- Twitter Breach Leaks 250,000 User E-mails & Passwords

Related Posts:

Most Read in General News:
- Hacking Still Can’t Outdo Stupidity for Data Leaks - 125,427 views
- eEye Launches 0-Day Exploit Tracker - 85,650 views
- Seattle Computer Security Expert Turns Tables On The Police - 44,183 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


Andiparos – Open Source Web Application Security Assessment Tool

Find your website's Achilles' Heel


Andiparos is a fork of the famous Paros Proxy. It is an open source web application security assessment tool that gives penetration testers the ability to spider websites, analyze content, intercept and modify requests, etc.

The author did ask for the original authors of Paros Proxy to integrate his changes but was rejected, hence the fork.

The advantage of Andiparos is mainly the support of Client Certificates on Smartcards. Moreover it has several small interface enhancements, making the life easier for penetration testers…

Features:

  • Smartcard support
  • History Filter (URLs)
  • Tag requests in history
  • other small enhancements…

You can download Andiparos here:

Andiparos-v1.0.tar.gz

Or read more here.


Posted in: Database Hacking, Hacking Tools, Web Hacking

Tags: , , , , , , , , , , , , ,

Posted in: Database Hacking, Hacking Tools, Web Hacking | Add a Comment
Recent in Database Hacking:
- Onapsis Bizploit v1.50 – SAP Penetration Testing Framework
- OAT – Oracle Auditing Tools For Database Security
- ODAT (Oracle Database Attacking Tool) – Test Oracle Database Security

Related Posts:

Most Read in Database Hacking:
- Pangolin – Automatic SQL Injection Tool - 76,937 views
- bsqlbf 1.1 – Blind SQL Injection Tool - 54,485 views
- SQLBrute – SQL Injection Brute Force Tool - 41,280 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


Australian Privacy Commissioner Rules Google Wifi Actions Illegal

Find your website's Achilles' Heel


Oh dear, poor Google seem to be catching all kinds of flak over their Wifi Data Collection.

The UK Met are already investigating them and they are being pulled to pieces in Germany too with France also weighing in. The latest to jump on the bandwagon is Australia which is stating they have breached the Australian Privacy Act.

It seems they might have dropped the ball big time with this one, although with the amount of money they have I doubt whatever legal restitution is served it won’t dent the coffers severely.

The Australian Privacy Commissioner has ruled that Google ran afoul of the country’s privacy laws when its Street View cars collected personal data from open Wi-Fi networks.

“On the information available I am satisfied that any collection of personal information would have breached the Australian Privacy Act,” said Privacy Commission Karen Curtis in a statement.
Click here to find out more!

“Collecting personal information in these circumstances is a very serious matter. Australians should reasonably expect that private communications remain private.”

Under the Privacy Act, Curtis is unable to sanction a company when she initiates an investigation. But she ruled that Google must publicly apologize, conduct “privacy impact assessments” of any new Street View data collection in Australia that includes personal information, and regularly consult with her about “personal data collection activities arising from significant product launches” in Australia.

Google has already apologised on their Google Australia blog here, which is a step in the right direction. They stated:

We want to reiterate to Australians that this was a mistake for which we are sincerely sorry. Maintaining people’s trust is crucial to everything we do and we have to earn that trust every single day. We are acutely aware that we failed badly here.

Google themselves have stated they’ve collected this data in 30 different countries, so it’ll be interesting to see how many similar cases pop up.

The Australian Federal Police have launched a separate investigation into Google’s Wi-Fi data collection. And since this and other investigations may still be ongoing, Curtis said she would not comment in more detail.

In May, with a blog post, Google said that its world-roving Street View cars had been collecting payload data from unencrypted Wi-Fi network, contradicting previous assurances by the company. The post said that the data was collected by “mistake” and that the data has not been used in any Google products, and the company grounded its Street View fleet.

A month before, in response to a complaint from the German privacy commissioner, a Google blog post said that in scanning Wi-Fi networks its Street View cars were collecting only the SSIDs that identify the networks and MAC addresses that identify particular network hardware, including routers. Google uses this data in products that rely on location data, such as Google Maps.

Google has said it collected payload data in 30 separate countries, and though investigations are still underway in many, the company announced on Friday that after speaking to regulators, it is sending its Street View Cars back on the road in Ireland, Norway, South Africa, and Sweden. This cars will resume their 360 degree picture taking next week, but they will no longer collect any Wi-Fi information.

The Street View cars will be hitting the street again and collecting data (but no-more Wi-fi info). Personally I’d love the maps to contain Wi-fi data, free/open connections nearby your current location would be a great help for the urban warrior.

Best to rely on the old 3G or Wimax dongle then I guess.

Source: The Register


Posted in: Legal Issues, Privacy, Wireless Hacking

Tags: , , , , , , , , , ,

Posted in: Legal Issues, Privacy, Wireless Hacking | Add a Comment
Recent in Legal Issues:
- The Panama Papers Leak – What You Need To Know
- FBI Backed Off Apple In iPhone Cracking Case
- TalkTalk Hack – Breach WAS Serious & Disclosed Bank Details

Related Posts:

Most Read in Legal Issues:
- Class President Hacks School Grades - 80,715 views
- Hospital Hacker GhostExodus Owns Himself – Arrested - 47,651 views
- One Of The World’s Most Prolific Music Piracy Groups Busted - 43,629 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


REMnux: A Linux Distribution For Reverse-Engineering Malware

Your website & network are Hackable


REMnux is a lightweight Linux distribution for assisting malware analysts in reverse-engineering malicious software. The distribution is based on Ubuntu and is maintained by Lenny Zeltser.

REMnux is designed for running services that are useful to emulate within an isolated laboratory environment when performing behavioral malware analysis. As part of this process, the analyst typically infects another laboratory system with the malware sample and directs potentially-malicious connections to the REMnux system that’s listening on the appropriate ports.

REMnux is also useful for analyzing web-based malware, such as malicious JavaScript, Java programs, and Flash files. It also has tools for analyzing malicious documents, such as Microsoft Office and Adobe PDF files, and utilities for reversing malware through memory forensics. In these cases, malware may be loaded onto REMnux and analyzed directly on the REMnux system without requiring other systems to be present in the lab.

You can learn about malware analysis techniques that make use of the tools installed and pre-configured on REMnux by taking the SANS Institute course on Reverse-Engineering Malware (REM).

What REMnux Is Not

REMnux does not aim to include all malware analysis tools in existence. Many of these tools are designed to work on Windows, and investigators prefer to use Windows systems for running such tools. If you are interested in running Windows analysis tools on a Linux platform, take a look at the Zero Wine project.


If you are looking for a more full-featured Linux distribution focused on forensic analysis, take a look at SANS Investigative Forensic Toolkit (SIFT) Workstation.

You can download REMnux here:

remnux-vm-public-1.0.zip

Or read more here.


Posted in: Forensics, Malware

Tags: , , , , , , ,

Posted in: Forensics, Malware | Add a Comment
Recent in Forensics:
- Cuckoo Sandbox – Automated Malware Analysis System
- Web Application Log Forensics After a Hack
- CapTipper – Explore Malicious HTTP Traffic

Related Posts:

Most Read in Forensics:
- NetworkMiner – Passive Sniffer & Packet Analysis Tool for Windows - 66,480 views
- raw2vmdk – Mount Raw Hard Disk (dd) Images As VMDK Virtual Disks - 34,476 views
- OpenDLP – Free & Open-Source Data Loss Prevention (DLP) Tool - 29,783 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


Regional Trojan Threat Targeting Online Banks

Find your website's Achilles' Heel


Well it was inevitable really, I’ve noticed in the last couple of years Phishing e-mails have started to use targeted lists especially for banking sites and the next up of course is trojans developed for specific regions.

A security company Trusteer (who makes Rapport) has done some research on this matter which has pin-pointed certain malware which is specifically targeted at UK banking sites and their users. And they actually appear to be using the rather successful Zeus trojan, with 2 botnets targeting the UK.

I would guess that targeting on a per-country basis increases the chances of success hugely as there only limited banks in each country and especially in the small countries like UK there aren’t that many popular ones, especially with all the mergers that took place.

Cybercrooks have developed regionally-targeted banking Trojans that are more likely to slip under the radar of anti-virus defences.

Detection rates for regional malware vary between zero and 20 per cent, according to a study by transaction security firm Trusteer. This company markets browser security add-ons to banks, which offer them to consumers as a way of reducing the risk of malware on PCs resulting in banking fraud.

Trusteer cites two pieces of regional malware targeted at UK banking consumers. Silon.var2, crops up on one in every 500 computers in the UK compared to one in 20,000 in the US. Another strain of malware, dubbed Agent-DBJP, was found on one in 5,000 computers in the UK compared to one in 60,000 in the US.

The Zeus Trojan is the most common agent of financial fraud worldwide. The cybercrime toolkit is highly customisable and widely available through underground carder and cybercrime forums. Trusteer has identified two UK-specific Zeus botnets, designed to infect only UK-based Windows and harvest login credentials of only British banks from these compromised systems.

It seems like a sensible shift in the paradigm for the bot-herders and malware pushers, rather than spraying their malware everywhere they can geolocate the IP addresses they are attacking and send out specific versions of their malware for clients from different countries.

Rather than in the early days when phishing and trojans only targeted the very largest US banking organizations (Citibank, Bank of America etc.).

Plus the fact more and more people are using online banking, micro-payment systems and sharing all kinds of sensitive data with the World online and stored on their computers. This makes it a much richer field for the would-be fraudster.

Trusteer reckons the crooks behind the attack are using UK-centric spam lists and compromised websites to spread the malware while staying under the radar of security firms. It compares this process to the shift from mass assaults to targeted strikes in corporate espionage-motivated attacks such as Operation Aurora, which struck Google and other hit-tech firms last year.

“Unlike known malware kits such as Zeus, Torpig, and Ambler which simultaneously target hundreds of banks and enterprises around the world and are on the radar of all security vendors, regional financial malware such as Silon.var2 and Agent.DBJP are highly targeted,” said Mickey Boodaei, Trusteer’s chief exec.

“In the UK, each campaign would usually focus on three to seven banks and target them for a period of six to nine months and then morph and change the list of targets, using a new more advanced version of the malware.”

Regionally-targeted malware has also cropped up in South Africa and Germany over recent months. A strain of malware called Yaludle, almost unseen outside Germany, has been used to target the online banking credentials of German surfers. Trusteer is urging banks to share information on targeted attacks locally as well as working with regulators and local law enforcement agencies to shut down command and control servers associated with regionally-targeted malware. The firm, naturally enough, also wants to persuade more banks to use its Rapport secure browsing software as a way of providing an extra defence against fraud.

As the report states, it’s started to appear in other countries too such as Germany and South Africa. If you live in a non-major country, I’d imagine it’ll be coming to your shores soon enough. I already started seeing regionally targeted phishing e-mails here last year, I’d expect the location aware trojans to hit soon too.

The trojans were actually identified by Trusteer’s Flashlight service, which is a kind of forensics software for banking. It allows banks to diagnose whether a client’s PC has been infected with malware following incidents of suspected fraud.

Anyway interesting stuff, if you work in the financial sector give those upstairs a heads-up about this, if you have a big user-base – please warn your users too.

Source: The Register


Posted in: Malware, Phishing, Social Engineering, Spammers & Scammers

Tags: , , , , , , , , , , , , , , , , ,

Posted in: Malware, Phishing, Social Engineering, Spammers & Scammers | Add a Comment
Recent in Malware:
- Android Malware Giving Phones a Hummer
- Cuckoo Sandbox – Automated Malware Analysis System
- movfuscator – Compile Into ONLY mov Instructions

Related Posts:

Most Read in Malware:
- Nasty Trojan Zeus Evades Antivirus Software - 77,530 views
- Hospital Hacker GhostExodus Owns Himself – Arrested - 47,651 views
- US considers banning DRM rootkits – Sony BMG - 44,996 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


Safe3 SQL Injector – Automatic Detection & Exploitation Of SQL Injection Flaws

Your website & network are Hackable


Safe3 SQL Injector is one of the most powerful penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of back-end database servers.

Features

  • Full support for GET/Post/Cookie Injection
  • Full support for HTTP Basic, Digest, NTLM and Certificate authentications
  • Full support for MySQL, Oracle, PostgreSQL, MSSQL, ACESS, DB2, Sybase & Sqlite
  • Full support for Error/Union/Blind/Force SQL injection
  • Support for file access, command execute, IP domain reverse, web path guess, md5 crack etc.
  • Super bypass WAF

You can download Safe3 SQL Injector here:

Safe3SI.6.2.rar

Or read more here.


Posted in: Database Hacking, Hacking Tools, Web Hacking

Tags: , , , , , , , , , , , , ,

Posted in: Database Hacking, Hacking Tools, Web Hacking | Add a Comment
Recent in Database Hacking:
- Onapsis Bizploit v1.50 – SAP Penetration Testing Framework
- OAT – Oracle Auditing Tools For Database Security
- ODAT (Oracle Database Attacking Tool) – Test Oracle Database Security

Related Posts:

Most Read in Database Hacking:
- Pangolin – Automatic SQL Injection Tool - 76,937 views
- bsqlbf 1.1 – Blind SQL Injection Tool - 54,485 views
- SQLBrute – SQL Injection Brute Force Tool - 41,280 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


Tabnapping Attack On The Increase

Find your website's Achilles' Heel


This is an interesting new attack, I saw a live demo of it a while back here: Tabnabbing: A New Type of Phishing Attack. All you need to do is let the page load, then browse to another tab for 5 seconds or more and you’ll see the favicon change to Gmail and the page will load a Gmail image.

And apparently the use of this attack is on the rise in the wild according to Panda Labs. It’s a pretty interesting phishing attack and although it’s unable to change the URL in the address bar I believe a lot of people rely on visual cues and may not notice the URL doesn’t match the page content.

The use of Tabnapping, the recently-identified phishing technique, is on the rise, says Panda Labs.

Tabnabbing exploits tabbed browser system in modern web browsers such as Firefox and Internet Explorer, making users believe they are viewing a familiar web page such as Gmail, Hotmail or Facebook. Cybercriminals can then steal the logins and passwords when users enter them on the these hoax pages.

According to Panda’s latest Quarterly Report on IT Threats, the technique is likely to be employed by more and more cybercriminals and users should close all tabs they are not actively using.

I think this could be quite effective, especially for the less technical crown on Facebook and using services like Hotmail and Gmail. It could even extend into targeted localized attacks on online banking systems.

Apparently all browsers are susceptible to this including Chrome, Firefox, Internet Explorer and Opera (on Windows XP anyway). More details in a PC Advisor article here.


Panda also revealed the number of Trojans being used on the web has surged, and they now account for just under 52 percent of all malware. The number of viruses on the web has also increased. Viruses account for 24 percent of all malware on the web.

The security firm said Taiwan had the most number of infection, with just over 50 percent of all global malware infections happening in the country, while Russia and Turkey came close behind.

Panda also revealed attacks on social networks, fake antivirus software and poisoned links in search engines continued to be popular techniques used by cyber criminals.

Using the recent history disclosure bug in most browsers, sneaky attackers could actually scan a users browser to confirm which sites a user has visited then create the tabnapping site according to that – reinforcing its effectiveness.

Perhaps this is something that can be addressed in Firefox as the person who developed this technique is the Creative Lead for Firefox – Aza Raskin.

Source: Network World


Posted in: Exploits/Vulnerabilities, Phishing, Spammers & Scammers

Tags: , , , , , , , , , , , , , ,

Posted in: Exploits/Vulnerabilities, Phishing, Spammers & Scammers | Add a Comment
Recent in Exploits/Vulnerabilities:
- Shadow Brokers NSA Hack Leaks 0-day Vulnerabilities
- Pompem – Exploit & Vulnerability Finder
- Bug Bounties Reaching $500,000 For iOS Exploits

Related Posts:

Most Read in Exploits/Vulnerabilities:
- Learn to use Metasploit – Tutorials, Docs & Videos - 235,446 views
- AJAX: Is your application secure enough? - 120,207 views
- eEye Launches 0-Day Exploit Tracker - 85,650 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


inundator v0.5 Released – IDS/IPS/WAF Evasion & Flooding Tool

Find your website's Achilles' Heel


What is inundator?

inundator is a multi-threaded, queue-driven, IDS evasion tool. Its purpose is to anonymously flood intrusion detection systems (specifically Snort) with traffic designed to trigger false positives via a SOCKS proxy in order to obfuscate a real attack.

When would I use inundator?

inundator would be used whenever you feel there is a significant chance the attack you’re about to perform may be detected by the target’s intrusion detection system. You would launch inundator prior to starting the attack, and continue running it well after you have finished the attack. The hope is that if your attack is detected by the IDS, the alert will be buried among several thousand false positives, thus minimizing the chance of an IDS analyst detecting the real attack.

Tell me more

inundator is a modern twist on an old concept — it’s an IDS/IPS/WAF evasion tool, used to anonymously flood intrusion detection systems with false positives in order to obfuscate a real
attack. inundator leverages the vagueness and poor quality of Snort’s rules files to generate completely harmless packets / HTTP requests that contain just enough keywords to trigger a false positive. We thought this was an original idea, but it looks like Snot, fwsnort’s snortspoof, and possibly others beat us to the punch. However, these tools were developed around the turn of the century, are quite dated and well-forgotten, and overall quite inferior to inundator.

inundator is full featured, multi-threaded, queue-based, supports multiple targets, and requires the use of a SOCKS proxy for anonymization. Via Tor, inundator is capable of generating around 1000 false positives per minute. Via a high-bandwidth SOCKS proxy, you might be able to generate ten times that amount.

The general idea is one would launch inundator prior to starting an attack, allow it to run during the attack, and continue to run it a while longer after you’ve accomplished the attack. The goal, of course, is to generate an overwhelming number of false positives so that your real attack is essentially buried within the other alerts, minimizing the chance of your attack being detected. It
could also be used to ruin an IDS analyst’s day, or keep an organization’s infosec department busy for a while. I suppose it could also be used to test the effectiveness of an IDS, but no, not
really.

Requirements/Compatibility

inundator is implemented in Perl (version >= 5.10 is recommended due to ithreads bugs in previous versions), and has been tested on Debian Lenny, Debian Squeeze, Ubuntu Jaunty, BackTrack4, and Mac OS X against Snort v2.8.5.2. It is presumed to work on all POSIX operating systems. Hell, it might even work on Windows.

You can download inundator v0.5 here:

inundator_0.5.tar.gz

Or read more here.


Posted in: Hacking Tools, Network Hacking

Tags: , , , , , , , , ,

Posted in: Hacking Tools, Network Hacking | Add a Comment
Recent in Hacking Tools:
- PowerOPS – PowerShell Runspace Portable Post Exploitation Tool
- Shadow Brokers NSA Hack Leaks 0-day Vulnerabilities
- UFONet – Open Redirect DDoS Tool

Related Posts:

Most Read in Hacking Tools:
- Top 15 Security/Hacking Tools & Utilities - 1,987,445 views
- Brutus Password Cracker – Download brutus-aet2.zip AET2 - 1,457,706 views
- wwwhack 1.9 – Download wwwhack19.zip Web Hacking Tool - 684,293 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


Adobe Patches PDF Vulnerabilities Being Exploited In The Wild

Find your website's Achilles' Heel


At least! Adobe has sorted itself out and released patches for 17 critical vulnerabilities in their Reader and Acrobat applications. We reported back in January about Active Exploitation Of Unpatched PDF Vulnerabilities.

The latest slew of vulnerabilities has been actively exploited by hackers for at least the past month as detected in the wild by anti-virus companies. Many of the vulnerabilities were critical and could lead to remote code execution, especially combined with the recent flash exploits.

They had to step up as well and get the patches out fast because the code went public in June.

Adobe on Tuesday patched 17 critical vulnerabilities in Reader and Acrobat, including one that hackers have been using for nearly a month to commandeer PCs.

Another patch fixed a design flaw in the PDF format that attackers have been exploiting since April to dupe users into downloading a Trojan horse.

Adobe rushed the security update, which was originally slated to ship July 13, because exploit code went public and attacks using rigged PDF documents started showing on antivirus vendors’ reporting systems four weeks ago. The company patched Flash — hackers were tricking people into visiting malicious sites, then using the same bug to launch drive-by attacks — on June 10.

Sixteen of the 17 fixed flaws were labeled with the phrase “could lead to code execution” in Adobe’s advisory , the company’s way of saying that the bug was critical and could be used to hijack machines. Like Apple , and unlike Microsoft , Adobe doesn’t rate the severity of the vulnerabilities it patches. The seventeenth patch was also likely critical: “Arbitrary code execution has not been demonstrated, but may be possible,” the advisory read.

Looks like they’ve been having some serious problems, not just run of the mill exploits but problems with the very architecture and design of the Adobe software. Some of the biggest malware vectors for distribution last year came from Adobe Reader flaws.

And it has been happening in the wild, these flaws allowed malicious bot-net herders to peddle their wares and infect thousands of people.

Another fix addressed a design problem in the PDF document format that could be leveraged to con users into downloading malware. The bug, which was not strictly a security vulnerability, was first disclosed by Belgium researcher Didier Stevens in late March. Stevens demonstrated how a multi-stage attack using the PDF specification’s “/Launch” function could successfully exploit a fully-patched copy of Adobe Reader. Stevens also showed how a Reader warning could be changed to further fool users.

Hackers have been using Stevens’ technique in mass attacks to infect Windows PCs with bot Trojans.

With the updates to versions 9.3.3 and 8.2.3, Adobe changed Reader and Acrobat so that the /Launch function was disabled by default — in earlier editions it had been turned on — and fixed the bug in the warning dialog so hackers couldn’t modify it. “Today’s update includes changes to resolve the misuse of this command,” said Steve Gottwals, an Adobe group product manager, on a company blog . “We added functionality to block any attempts to launch an executable or other harmful objects by default. We also altered the way the existing warning dialog works to thwart the known social engineering attacks.”

Stevens confirmed the fixes in a post to his blog Tuesday. “Not only is the dialog box fixed, but the /Launch action is also disabled by default,” he said.

Five of the 17 bugs Adobe patched Tuesday were reported by Tavis Ormandy, the Google security engineer who was at the center of a brouhaha earlier this month after he publicly disclosed a vulnerability in Windows when Microsoft wouldn’t commit to a patching deadline.

Thankfully they’ve disabled the /Launch function by default now and fixed other bugs which were classified as critical. Incidentally 5 of the 17 bugs were reported by Tavis Ormandy the Google engineer.

That guy has quite a record for uncovering software based vulnerabilities.

Source: Network World


Posted in: Exploits/Vulnerabilities, General Hacking

Tags: , , , , , , , , , , , , , ,

Posted in: Exploits/Vulnerabilities, General Hacking | Add a Comment
Recent in Exploits/Vulnerabilities:
- Shadow Brokers NSA Hack Leaks 0-day Vulnerabilities
- Pompem – Exploit & Vulnerability Finder
- Bug Bounties Reaching $500,000 For iOS Exploits

Related Posts:

Most Read in Exploits/Vulnerabilities:
- Learn to use Metasploit – Tutorials, Docs & Videos - 235,446 views
- AJAX: Is your application secure enough? - 120,207 views
- eEye Launches 0-Day Exploit Tracker - 85,650 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95