security discussion, July 2009 - Adobe's headaches

Posted by Dave K on 25 Jul 2009, 351 views

 

Security Discussion on edufire.com, July 2009

Here are the details of the security discussion for July. Every month we will have a free discussion of the latest threats on the Internet and follow with a detailed report. Adobe has been taking it kind of hard in July. Its had to issue 5 security bulletins by the 22nd. The apps in question are Flash player, the installer for Adobe reader, and Cold Fusion. I'll be ignoring the ColdFusion problems but I'll be covering an infection that uses a fake Flash installer to try to trick people.

Flash

The Flash problem involves a technique called "heap spraying". Back in 2004, a hacker named "Skylined" used a supposedly new attacking technique that would fill an area set aside for temporary storage with a bunch of no-ops (commands to do nothing but go to the next command) and some corrupt code at the end of the structure. You don't know where that storage resides so you use a bunch of no-ops. That way you can estimate where to go and "slide" down to the malicious code. That is the theory, but since software that looks for anomalies (formally known as IDS or Intrusion Detection Systems) looks for the official noop command (0x90 on Intel chips) so other code is being used.

Some sources claim it is nothing new and that it has been in use since 2001 but it got popular in 2005 after Skylined used it. It looks to me like a simple buffer overflow that has been popular since the late 90s. Nothing truly innovative from what I can tell so far, but I'll probably have to eat those words once I learn more.

The thing that makes this instance notable is that in the past the heap was corrupted with Javascript. This time the same thing is being done with Action Script which is a way to automate Flash and Shock-Wave files. It has the same roots as Javascript, they both come from ECMASCRIPT, so it makes sense that it would have similar vulnerabilities. Adobe is stating that an official fix will come out for Mac/Windows/Linux about July 30th and July 31st for Solaris. Until then, they give a list of xxx things to do:

  1. Deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat v9. However, any PDF file that includes Shock-Wave content will cause a crash or error message. The authplay.dll file is found at:
     C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dllor  
     C:\Program Files\Adobe\Acrobat 9.0]\Acrobat\authplay.dll
  2. Use the UAC (User Access Control) to keep the flaw from corrupting system critical files.
  3. Use caution when browsing untrusted websites. Duh!

  4. Keep your Anti-Virus up-to-date. Adobe is communicating with AV vendors about the flaw so one day soon your Avti-Virus program will recognize a bad PDF.

Installer

Another concern, which is completely unrelated to the Flash problem listed above, is a new virus that is available on a famous repository of exploits, milw0rm.com.

As a side note: Earlier this month there was a lot of talk that Milw0rm was closing down and that the author, /Stroke, said it was taking too much time. Now it appears his friends have taken the key and are running it as before. This may or may not be good news depending on your POV. If you are curious and brave, wander on over to Milw0rm.com and look at exploit #9233. But like they say "Don't play with it if you don't know what it does... This virus is srs business."

According to Adobe, it is only of medium severity because you already need access to the computer to exploit it, and the attacker would have to be able to start the getPlus helper service. This is very difficult, if not impossible, on Vista machines that use UAC.

This only proves my feeling that it is a major mistake to disable UAC as some suggest you do. The minor irritation is well worth the extra peace of mind. I go out of my way to do the same thing on XP and would have considered it a real godsend a few years ago.

You can check to see if you are vulnerable to this attack by checking the following

* look for the C:\Program Files\NOS subdirectory

* look for the "getPlus (R) Helper" service

Click "Start" > "Run"type "services.msc".

If either are found then you can mitigate the issue by deleting the subdirectory and its contents or deleting the "getPlus (R) Helper" service.

Koobface

Something that isn't directly related to Adobe, but it uses a faked Flash installation to trick you into infecting yourself. The worm spreads on social networking sites like FaceBook, MySpace, Twitter, hi5, Bebo, Friendster, myYearbook, Tagged, Netlog and fubar. So far, only computers using Windows are infected so Linux and Macs don't have anything to worry about-- yet.

  1. It spreads from user to user in several stages.
  2. You befriend someone who is already infected.
  3. You play one of the videos in its messages which sends you to a fake YouTube site
  4. You are directed to download a fake Flash player.

Once you are infected it takes over your surfing and sends you to contaminated web sites whenever you use search engines like Google, Yahoo, and Bing, and Ask.com.

When this worm was discovered in July 2008, Alexander Gostev, the Senior Virus Analyst at Kaspersky Lab predicted that

 “At the beginning of 2008 we predicted that we'd see an increase in cybercriminals exploiting MySpace, Facebook and similar sites, and we're now seeing evidence of this. I'm sure that this is simply the first step, and that virus writers will continue to target these resources with increased intensity”.

At one point it only infected Face Book and MySpace, but this month it started infecting Twitter users. Researchers at Trend Micro reported that on July 9 a couple hundred Twitter users were infected in the span of a few hours. Twitter is now suspending any accounts that are caught infecting others.

According to eweek.com, an analyst at Symantec mentioned the short URLs from sites like TINYURL. They say these URLs are difficult to filter because they obscure the domain name and the end-user really doesn't know where the link leads. TINYURL has had a fix for that problem for years, its called "preview".

If you have the cookies set to use their "preview" option then you will be shown the domain name and a snapshot of any shortened URL. It may mean one extra step to take, but that is worth it for the extra security. You get that cookie set here: http://tinyurl.com/preview.php.

There are a couple Firefox extensions that will show you where the URL points to. Here are two:

https://addons.mozilla.org/en-US/firefox/addon/8636
https://addons.mozilla.org/en-US/firefox/addon/9549

However, according to some sources, Twitter is now using bit.ly instead of tinyurl.com but bit.ly authors an extension themselves:

https://addons.mozilla.org/en-US/firefox/addon/10297

I haven't tried any of the Firefox extensions listed above but my instinct is to go with the one from bit.ly listed above. It claims it will display TinyURL.com sites and any additional information bit.ly has about that link.

In the koobface worm, if you look closely you can see that you are not being sent to YouTube.com but a site in Russia called YouTube.[skip].ru 
Koobface is the words 'face' and 'book' in reverse and 'koob' is the word 'book' with its characters reversed.

Come visit us in August, learn about new threat and give your input to the community.



sources and links

http://www.adobe.com/support/security/

http://blogs.adobe.com/psirt/

http://securitywatch.eweek.com/social_networking/koobface_worm_lands_on_twitter.html

http://status.twitter.com/post/138789881/koobface-malware-attack

http://Milw0rm.com

http://tinyurl.com/preview.php

https://addons.mozilla.org/en-US/firefox/addon/10297

https://addons.mozilla.org/en-US/firefox/addon/8636

https://addons.mozilla.org/en-US/firefox/addon/9549

 

Subject:
security
Tags:
Security July Adobe 2009

About Author

Dave's Classes

No-pails

Copyright 2007-2009 eduFire, Inc. All Rights Reserved.