Comments on: Latest PDF Zero Day Leads to Exploit Egg Hunt http://blogs.mcafee.com/mcafee-labs/latest-pdf-zero-day-leads-to-exploit-egg-hunt Wed, 23 May 2012 15:26:06 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Didier Stevens http://blogs.mcafee.com/mcafee-labs/latest-pdf-zero-day-leads-to-exploit-egg-hunt/comment-page-1#comment-25253 Didier Stevens Fri, 16 Oct 2009 12:39:20 +0000 http://www.labs.com/research/blog/?p=2706#comment-25253 FYI, I've updated my PDFiD tool to detect this 0day: http://blog.didierstevens.com/2009/10/13/update-pdfid-version-0-0-9-to-detect-another-adobe-0day/ FYI, I’ve updated my PDFiD tool to detect this 0day: http://blog.didierstevens.com/2009/10/13/update-pdfid-version-0-0-9-to-detect-another-adobe-0day/

]]> By: user http://blogs.mcafee.com/mcafee-labs/latest-pdf-zero-day-leads-to-exploit-egg-hunt/comment-page-1#comment-25252 user Thu, 15 Oct 2009 19:05:26 +0000 http://www.labs.com/research/blog/?p=2706#comment-25252 Can you guys point out how you guys are actually going about decoding this to make it viewable using your tool fileinsight? Thanks and love the blog very informational!! :) Can you guys point out how you guys are actually going about decoding this to make it viewable using your tool fileinsight?

Thanks and love the blog very informational!! :)

]]> By: iTinker http://blogs.mcafee.com/mcafee-labs/latest-pdf-zero-day-leads-to-exploit-egg-hunt/comment-page-1#comment-25251 iTinker Wed, 14 Oct 2009 18:33:48 +0000 http://www.labs.com/research/blog/?p=2706#comment-25251 Q: what would be the effect of DEP set to 'optOut' or 'alwaysOn' on the heap spray attempt? (winXP+) "The hidden executable ...is written to disk and executed ..." Q: written where, executed by whom? If the attacked user is a "normal" user as opposed to an admin is the attack successful? What happens if a "normal" user is protected by a "line of business" Software Restriction Policy? Write+Execute should result in a security fault, preventing the attack. Is there a privilege escalation step? DEP, "normal" user and SRP are readily available mitigations/defenses against "drive by" attacks. Testing consistently against them and reporting the results would help to aquaint the non-specialist public with their use. Hopefully some will be encouraged to investigate and apply these measures, making themselves and the rest of the internet just that little bit safer. Q: what would be the effect of DEP set to ‘optOut’ or ‘alwaysOn’ on the heap spray attempt? (winXP+)

“The hidden executable …is written to disk and executed …”
Q: written where, executed by whom?
If the attacked user is a “normal” user as opposed to an admin is the attack successful?
What happens if a “normal” user is protected by a “line of business” Software Restriction Policy? Write+Execute should result in a security fault, preventing the attack. Is there a privilege escalation step?

DEP, “normal” user and SRP are readily available mitigations/defenses against “drive by” attacks. Testing consistently against them and reporting the results would help to aquaint the non-specialist public with their use. Hopefully some will be encouraged to investigate and apply these measures, making themselves and the rest of the internet just that little bit safer.

]]>