Comments on: New BackDoor Attacks Using PDF Documents http://blogs.mcafee.com/mcafee-labs/new-backdoor-attacks-using-pdf-documents Tue, 29 Nov 2011 07:51:20 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Asheerq http://blogs.mcafee.com/mcafee-labs/new-backdoor-attacks-using-pdf-documents/comment-page-1#comment-22534 Asheerq Mon, 06 Apr 2009 03:37:45 +0000 http://www.labs.com/research/blog/?p=806#comment-22534 i thinx adobe update it now thanx dear i thinx adobe update it now
thanx dear

]]> By: LouNaTech http://blogs.mcafee.com/mcafee-labs/new-backdoor-attacks-using-pdf-documents/comment-page-1#comment-22532 LouNaTech Wed, 11 Mar 2009 17:41:14 +0000 http://www.labs.com/research/blog/?p=806#comment-22532 Adobe's Patch Is Released for Acrobat Reader 8.x & 9.x Adobe recommends Adobe Reader users update to Adobe Reader 9.1, available here: http://get.adobe.com/reader/ Acrobat 9 Adobe recommends Acrobat 9 Standard and Acrobat 9 Pro users on Windows update to Acrobat 9.1, available at the following URLs: http://www.adobe.com/support/downloads/detail.jsp?ftpID=4375 http://www.adobe.com/support/downloads/detail.jsp?ftpID=4382 Adobe recommends Acrobat 9 Pro Extended users on Windows update to Acrobat 9.1, available here: http://www.adobe.com/support/downloads/detail.jsp?ftpID=4381 Adobe recommends Acrobat 9 Pro users on Macintosh update to Acrobat 9.1, available here: http://www.adobe.com/support/downloads/detail.jsp?ftpID=4374 Still no talk of the vulnerability of Acrobat 6.x Adobe’s Patch Is Released for Acrobat Reader 8.x & 9.x

Adobe recommends Adobe Reader users update to Adobe Reader 9.1, available here:
http://get.adobe.com/reader/

Acrobat 9

Adobe recommends Acrobat 9 Standard and Acrobat 9 Pro users on Windows update to Acrobat 9.1, available at the following URLs:
http://www.adobe.com/support/downloads/detail.jsp?ftpID=4375
http://www.adobe.com/support/downloads/detail.jsp?ftpID=4382

Adobe recommends Acrobat 9 Pro Extended users on Windows update to Acrobat 9.1, available here:
http://www.adobe.com/support/downloads/detail.jsp?ftpID=4381

Adobe recommends Acrobat 9 Pro users on Macintosh update to Acrobat 9.1, available here:
http://www.adobe.com/support/downloads/detail.jsp?ftpID=4374

Still no talk of the vulnerability of Acrobat 6.x

]]> By: Daniel Y http://blogs.mcafee.com/mcafee-labs/new-backdoor-attacks-using-pdf-documents/comment-page-1#comment-22531 Daniel Y Mon, 02 Mar 2009 22:41:08 +0000 http://www.labs.com/research/blog/?p=806#comment-22531 There are a few new PoC at milworm that do not appear to be detected by VirusScan using the most recent DAT release. I've submitted some samples to AVERT in hope that an updated DAT will come out soon. According to http://secunia.com/blog/44/, they created some samples that proof disabling javascript in Acrobat/Reader does not mitigate the risk. VirusScan buffer overflow protection may help for users running Internet Explorer, but not firefox users. There are a few new PoC at milworm that do not appear to be detected by VirusScan using the most recent DAT release. I’ve submitted some samples to AVERT in hope that an updated DAT will come out soon. According to http://secunia.com/blog/44/, they created some samples that proof disabling javascript in Acrobat/Reader does not mitigate the risk. VirusScan buffer overflow protection may help for users running Internet Explorer, but not firefox users.

]]> By: Joe Blough http://blogs.mcafee.com/mcafee-labs/new-backdoor-attacks-using-pdf-documents/comment-page-1#comment-22529 Joe Blough Thu, 26 Feb 2009 14:37:57 +0000 http://www.labs.com/research/blog/?p=806#comment-22529 There is exploit code (in the form of a perl script) at milworm. The script will generate a pdf file that contains the exploit. As of last night, 2 out of 39 AV programs on virustotal detect the milworm file as a threat. When tested on acrobat 6 running on Windows 98, acrobat displays a message that the file is corrupt and can't be read. It does not crash. I take that as an indication that Acrobat 6 is not vulnerable to the exploit. Windows-98 wins again over NT-based OS's. There is exploit code (in the form of a perl script) at milworm. The script will generate a pdf file that contains the exploit. As of last night, 2 out of 39 AV programs on virustotal detect the milworm file as a threat. When tested on acrobat 6 running on Windows 98, acrobat displays a message that the file is corrupt and can’t be read. It does not crash. I take that as an indication that Acrobat 6 is not vulnerable to the exploit. Windows-98 wins again over NT-based OS’s.

]]> By: Johnno http://blogs.mcafee.com/mcafee-labs/new-backdoor-attacks-using-pdf-documents/comment-page-1#comment-22528 Johnno Wed, 25 Feb 2009 15:36:35 +0000 http://www.labs.com/research/blog/?p=806#comment-22528 Disabling Javascript may not help at all. I've noticed if you launch a "javascript" enabled PDF, it just keeps bugging you to turn it back on... Great fix for a corporate environment where users will agree to anything quickly if it'll stop them being bugged! Disabling Javascript may not help at all. I’ve noticed if you launch a “javascript” enabled PDF, it just keeps bugging you to turn it back on… Great fix for a corporate environment where users will agree to anything quickly if it’ll stop them being bugged!

]]> By: Addus http://blogs.mcafee.com/mcafee-labs/new-backdoor-attacks-using-pdf-documents/comment-page-1#comment-22527 Addus Mon, 23 Feb 2009 16:54:10 +0000 http://www.labs.com/research/blog/?p=806#comment-22527 Will Mcafee be releasing a HIPS signature for this? If so when is it planning on being released? Will Mcafee be releasing a HIPS signature for this? If so when is it planning on being released?

]]> By: Addus http://blogs.mcafee.com/mcafee-labs/new-backdoor-attacks-using-pdf-documents/comment-page-1#comment-22526 Addus Mon, 23 Feb 2009 16:53:18 +0000 http://www.labs.com/research/blog/?p=806#comment-22526 The CERT advisory states that disabling javascript in acrobat reader "may" prevent exploitation. What does "may" mean? Also if users have stripped down rights what would this do to the impact of exploit? The CERT advisory states that disabling javascript in acrobat reader “may” prevent exploitation. What does “may” mean? Also if users have stripped down rights what would this do to the impact of exploit?

]]> By: Geok Meng Ong http://blogs.mcafee.com/mcafee-labs/new-backdoor-attacks-using-pdf-documents/comment-page-1#comment-22523 Geok Meng Ong Mon, 23 Feb 2009 01:38:18 +0000 http://www.labs.com/research/blog/?p=806#comment-22523 Larry, the vulnerability used by Conficker was exploited in the wild as a 0-day before the out-of-cycle patch was released, more notable by Spy-Agent.da. http://www.labs.com/research/blog/index.php/2008/10/24/first-glimpse-into-ms08-067-exploits-in-the-wild/ Larry, the vulnerability used by Conficker was exploited in the wild as a 0-day before the out-of-cycle patch was released, more notable by Spy-Agent.da.
http://www.labs.com/research/blog/index.php/2008/10/24/first-glimpse-into-ms08-067-exploits-in-the-wild/

]]> By: Joe Blough http://blogs.mcafee.com/mcafee-labs/new-backdoor-attacks-using-pdf-documents/comment-page-1#comment-22519 Joe Blough Sat, 21 Feb 2009 20:56:04 +0000 http://www.labs.com/research/blog/?p=806#comment-22519 Can anyone confirm (or can anyone post a reference) that Acrobat version 6 is, or is not, affected by this exploit or has this vulnerability? Is there any example code available for vulnerability testing? Can anyone confirm (or can anyone post a reference) that Acrobat version 6 is, or is not, affected by this exploit or has this vulnerability? Is there any example code available for vulnerability testing?

]]> By: Larry Seltzer http://blogs.mcafee.com/mcafee-labs/new-backdoor-attacks-using-pdf-documents/comment-page-1#comment-22508 Larry Seltzer Fri, 20 Feb 2009 11:16:29 +0000 http://www.labs.com/research/blog/?p=806#comment-22508 Conficker wasn't a zero-day. Conficker wasn’t a zero-day.

]]>