Posted on Jun. 09, 2010 at 3:00am
A new virus warning has been issued by two security software experts regarding a critical vulnerability in Adobe’s Flash Player, Reader and Acrobat software, even as Adobe itself released a security advisory about a critical vulnerability that causes the Flash Player software to crash.
Both Symantec and TrendMicro warned that the vulnerabilities it found in the Adobe software contain what is called a “zero-day” vulnerability – one that is not yet detected by the software developer and is, therefore, exploitable by makers of malicious code before the owner and developer of the exploited software can fix the “hole” in the program through which hackers can attack the users of the software in question.
On Friday, Adobe released a security advisory announcing a zero-day exploit found in specific Adobe Flash Player versions. The underlying vulnerability could also be used to run arbitrary code that enable the downloading or dropping malicious files into an affected system, TrendMicro warned in an email sent to journalists. According to Adobe, all released 10.0.x and 9.0.x versions of Flash Player, including the latest version (10.0.45.2), are vulnerable.
Because the vulnerable component of Flash Player is also used by Adobe’s PDF products, both Acrobat and Reader versions 9.3.2 and earlier that belong to the 9.x family are also affected. The earlier 8.x versions of Acrobat and Reader are not affected.
Malicious files exploiting this vulnerability have already been encountered by Trend Micro and are now detected as TROJ_PIDIEF.WX. No date for a patch or fix for this vulnerability has been announced by Adobe, although Adobe offers two potential workarounds – one for Flash Player and another for both Acrobat and Reader.
In the case of Flash Player, users can download the 10.1 version, which is already available for download, although it has not yet been officially released for public use and remains at Release Candidate (RC) status. For reader and Acrobat, users can manually delete the vulnerable component. However, when this is done, all Flash content within .PDF files cannot be opened. Users may see a crash or error message, although the exploit – and any malicious content attached to it – will not be triggered.
Symantec has confirmed the attacks that exploit the vulnerability announced by Adobe in its security advisory as well. The vulnerability is present in the Adobe software for platforms that include the following operating systems: Windows, Macintosh, Solaris, Linux and UNIX. Symantec’s Security Response found that the attack involves Trojan.Pidief.J, which is a PDF file that drops a back door onto the compromised computer if an affected product is installed. Upon analysis of monitored attacks, Symantec also observed that a malicious SWF file detected as Trojan Horse is used in conjunction with an HTML file acting as a downloader to download another malware (Backdoor.Trojan) from the web. A backdoor program bypasses normal authentication procedures, secures remote access to a computer and obtains access to plaintext while it attempts to remain undetected by the computer it is infecting. These backdoor programs may take the form of installed programs or may be modifications to an existing program or hardware device.
According to Symantec, the attacks can take place in various situations, such as “receiving an email with a malicious PDF attachment, receiving an email with a link to the malicious PDF file or a website with the malicious SWF embedded in malicious HTML code (or by) stumbling across a malicious PDF or SWF file when surfing the web” – information independently confirmed by TrenMicro as well.
Symantec advises enterprises and individual computer users alike to “make sure (their) operating systems and applications are updated with the latest patches; be cautious and not open suspicious email attachments or attachments that aren’t expected and; use a complete security solution that protects against today’s threats, as well as unknown threats.”
TrendMicro said these malicious code exploiting the Adobe vulnerability “are in the wild,” though it added that “the attacks seem limited at this point. However, other cyber criminals may jump on the bandwagon to take advantage of the vulnerability in the very near future. It’s advisable that you visit Adobe’s security advisory and spend some time investigating what workarounds would be applicable for your environment until a patch is released.”
All a-Twitter with back doors
TrendMicro technical communications analyst Carolyn Guevarra also issued yet another virus alert, this time regarding news tweeted on microblogging site Twitter about the FIFA World Cup and the recent Gaza attack after TrendMicro’s analysis arm, TrendLabsSM found that Twitter, too, is experiencing two malware campaigns. Tweets about both the FIFA World Cup and the Gaza attack are being used as social engineering ploys by malware campaigns seen on Twitter.
Guevarra said in an email to technology reporters that TrendLabsSM senior threat researcher Ivan Macalintal “spotted several malicious programs being distributed via the popular microblogging site. These malware campaigns take advantage of noteworthy events to lure users into clicking malicious links (embedded) in tweets. The first malware run makes use of the upcoming FIFA World Cup - set to see record levels of global interactivity according to CNN – by sending a tweet to Twitter users following news on the soccer event.
Clicking the link leads users to download a copy of a back door TrendLabsSm identified as BKDR_BIFROSE.SMK, which connects to IP addresses that allow a remote user to perform malicious activities on infected systems. These activities include sending and receiving files, key-logging and stealing user names and passwords. It also has rootkit capabilities, which enable it to hide its processes and files from its victims.
According to Guevarra, second malware campaign, on the other hand targets Twitter users following news related to the Gaza attacks on the microblogging site. “This time, the malware that is downloaded from the link is BKDR_BIFROSE.PAB, which opens a hidden Internet Explorer (IE) window and opens TCP port 788 to listen for commands from a remote malicious user who may initiate a denial-of-service (DoS) attack to target systems using specific flooding methods,” Guevarra warned. These malware attacks via Twitter come hard on the heels of a click-jacking malware campaign that affected social networking netizens using Facebook.
Unsafe Safari – even for Macs
Meanwhile, people using Apple’s Safari web browser have been warned by enterprise security software maker Sophos that the popular web browser also hase security holes. Both Mac and PC users who run Safari on their Windows machines have been advised by Sophos security experts to update their operating system software to plug these holes.
In an advisory posted on Facebook, Sophos security researchers said that “whether you own a Windows or Mac OS X computer, if you’re a user of Apple’s Safari browser, it’s time to update your computer against a swarm of security vulnerabilities.”
“With the attention of most Apple devotees diverted this week towards the sleek new iPhone 4, some may have missed that the Cupertino-based company has also issued a brand new version of its web browser, Safari,” Sophos said in a warning posted on its Facebook page. “Most interestingly to us, however, is the news that Safari 5.0 not only includes new functionality, but also plugs at least 48 different security vulnerabilities that (if left unpatched) could be exploited by hackers.”
Users of Mac OS X version 10.4, which Safari 5 doesn’t support, needn’t worry, the Sophos advisory said. “Apple has issued Safari version 4.1 for those customers, which addresses the same set of security issues.”
However, the Sophos experts also warn that if users “dawdle over updating (their) computer(s), it’s possible that hackers could exploit the security bugs – including some that could mean that simply visiting a booby-trapped webpage could lead to malicious code being automatically run on (the victim’s) computer.”
Knocking down the myth that Macs are not affected by malware, the Sophos experts said “it doesn’t matter whether you own a Mac or a Windows PC, if you run Safari the message is clear: Update your browser and ensure that you are protected against hackers exploiting the security holes detailed in the security advisory on Apple’s website.” Sophos also advises that “Safari users should practise safe computing and update their systems as soon as possible.”
A new malware warning was issued by two firms specializing in security software... Both Symantec and TrendMicro warned that the vulnerabilities it found in the Adobe software contain what is called a “zero-day” vulnerability – one that is not yet detected by the software developer and is, therefore, exploitable by makers of malicious code before the owner and developer of the exploited software can fix the “hole” in the program through which hackers can attack the users of the software in question.Continue Reading