Adobe number one target for hackers

In the first quarter of 2010, Adobe products were the number one target for hackers.  It is believed the reason for this is because of the multi-platform capability of Adobe products like Flash and Acrobat PDF.   Many users are not aware of the dangers of opening PDF files from unknown parties.

The Adobe Reader & Acrobat exploit Pdfka was by far the most common at 42.97%.  Combining two of the most common exploits for Adobe products yields almost 50% of the total exploits found in that quarter.  Many Adobe users do not frequently update their software to the latest versions much less apply recent patches.

Adobe patches more bugs

Last Thursday Adobe patched 12 bugs in their Flash application, three of these were caused by Microsoft.  For at least a week hackers have been exploiting at least one of these vulnerabilities.  You can find the full details of the security bulletin on Adobe’s website under Security Advisories.

The report refers to ten vulnerabilities that can potentially lead to compromised systems by allowing hackers to execute their own code.  Windows, Mac, and Linux machines were address in this patch, although Solaris is still set for a future update.

July 10th Microsoft notified Adobe about vulnerabilities in Microsoft’s ATL (Active Template Library), two weeks prior to public announcement.  Microsoft security team has been investigating these ATL for flaws since early 2008.  “[Microsoft] was moving very fast to pull resources together to help us do triage on our products,” said Brad Arkin, Adobe’s director for product security and privacy.

“The hard part was determining what was vulnerable,” said Brad. “It’s easy to rebuild a test version, but then we had to make sure [that] works and make sure we didn’t break it.”

Patched versions of the Flash Player  for Windows, Mac and Linux can be downloaded from Adobe’s Web site.   Users can use Flash’s built-in automatic update mechanism to grab the new versions.

It is a step in the right direction to see Adobe take vulnerabilities in their products more seriously and address these issues in a timely fashion.

Adobe acknowledges the importance for security

Many agree Adobe has never responded to security vulnerabilities in their popular products quickly. Known vulnerabilities would take weeks and in some cases months before being addressed. Most recently in February Adobe confirmed a known vulnerability in their Acrobat PDF software and admitted the vulnerability is actively being used by hackers. Brad Arkin, Adobe’s director for product security and privacy mentions this event is what prompted a new security practice.

Adobe has started reviewing the code in Adobe Reader and Adobe Acrobat products and is identifying “at-risk areas” that will be addressed and ultimately re-written. “We’re going to broadly look at the whole application, but focus on at-risk areas, where we’ll do threat modeling, static code analysis and look for potential vulnerabilities,” said Arkin. “We’re going to do a lot more pro-active work,” he promised. “We want to shake loose vulnerabilities.”

Arkin promises a regular patching cycle and in fact will deliver patches the same day as Microsoft. Although their patch cycle is quarterly, not monthly, the patches will be delivered the second Tuesday of the month. This schedule has not officially started.  Arkin also mentioned JavaScript will not be disabled by default in future builds of Adobe Acrobat products.

More information on Adobe Acrobat’s new security initiative can be found on Adobe’s Asset blog.

Poisoning Google with Malware

There is a new threat that is filling Google search results with links to malicious links. CERT warns this threat is spreading quickly, especially over the last few days. According to CERT there are thousands of legitimate sites infected with this threat now called Gumblar attack.

The attack will steal FTP accounts on the victims machine to further spread its reach. It also will take control of the victims browser which is how it replaces Google search results. ScanSafe has reported out of the 3,000 known infected sites, 800 of those are within the last week.

As of right now, the Gumblar attack is considered relatively small scale. With access to victims FTP account information and strong obfuscation, it is expected the growth will continue. Typically the amount of sites infected with a known threat declines, this isn’t the case with the Gumblar attack.

The Gumblar attack uses known flaws in Adobe software products (that typically do not get patched quickly) to install the malicious software.

Adobe Acrobat vulnerable again

Another serious vulnerability in Adobe Acrobat is making its way around the Internet.  So far testing has confirmed  the vulnerability in Adobe Acrobat 8.1.0, 8.1.1, 8.1.2, 8.1.3, and 9.0.0.  This affects the latest version of both 8.x and 9.x versions of Adobe Acrobat.  Although the exploit is not JavaScript based, it is trigger via JavaScript, so for now disabling JavaScript will help mitigate this threat.  Adobe has acknowledge the vulnerability and has plans on releasing a patch around March 11th.

For now, if you want to disable JavaScript in Adobe Acrobat, you can go into the Edit menu and select preferences.   Under preferences you will see a JavaScript option group, from there you can un-check the box to disable JavaScript.

This can also be disabled via the registry or a GPO under HKEY_CURRENT_USER

Adobe Acrobat Reader:

Software\Adobe\Acrobat Reader\x.0\JSPrefs
Adobe Acrobat:

Software\Adobe\Adobe Acrobat\x.0\JSPrefs
Changing DWORD “bEnableJS” to zero will disable JavaScript.

Beware of fake Adobe Flash installs

Adobe is reporting an unusually high number of social networking sites hosting fake Adobe Flash installations.  These installations are installing malicious software on to your computer.   Like all software installs, it is highly recommended you verify the URL before accepting a download and making sure your antivirus protection is up to date and active.