$50,000 Zero-Day Exploit Evades Adobe's Sandbox, Say Russian Analysts 56
tsu doh nimh writes with this excerpt from Krebs on Security: "Software vendor Adobe says it is investigating claims that instructions for exploiting a previously unknown critical security hole in the latest versions of its widely-used PDF Reader software are being sold in the cybercriminal underground. The finding comes from malware analysts at Moscow-based forensics firm Group-IB, who say they've discovered that a new exploit capable of compromising the security of computers running Adobe X and XI (Adobe Reader 10 and 11) is being sold in the underground for up to $50,000. This is significant because — beginning with Reader X — Adobe introduced a 'sandbox' feature aimed at blocking the exploitation of previously unidentified security holes in its software, and until now that protection has held its ground. Adobe, meanwhile, says it has not yet been able to verify the zero-day claims."
Translating Roman Numerals... srsly??? (Score:2)
Has the average IQ of /. readers dropped so low recently that it became necessary to translate Roman numerals??
Re:Translating Roman Numerals... srsly??? (Score:5, Funny)
If you ask me, this site has been going downhill ever since they dropped Latin and started posting in English.
Re:Translating Roman Numerals... srsly??? (Score:5, Funny)
Re:Translating Roman Numerals... srsly??? (Score:5, Funny)
They would have kept one numbering system for the whole article, but "Zero-day" would have been really tough.
Re: (Score:1)
Re: (Score:2)
Some theorize that OSX would translate to 11-7-10
You're looking at it all wrong, it's actually a smiley for a dipsomaniac cyclops.
Re:Translating Roman Numerals... srsly??? (Score:4, Informative)
Adobe themselves does it. They have Acrobat X/XI on the marketing side but installation and license calls it Acrobat 10/11
Re: (Score:1)
Re: (Score:1)
Reminds me of one of the direct to DVD/TV Revenge of the Nerds sequels, where the nerds' black fraternity leader wears his Malcolm the 10th hat.
not yet been able to verify the zero-day claims (Score:5, Funny)
They can if they cough up 50 grand for a copy. By the way, is anybody getting sued for uploading a free torrent?
Re: (Score:1)
these are folks that will break a kneecap instead of a lawsuit. That may be more effective.
Re: (Score:3)
In that case, I also have one of those thingymajigs, and I'll sell it for only 48 grand! I'll even throw in a small bridge in the bargain, for free!
Re: (Score:2)
Can't verify. (Score:5, Funny)
Sorry, we cannot verify this zero-day exploit, the computer we tested it on isn't working right for some reason.
This is Actually an Interesting Trend... (Score:5, Insightful)
If I remember correctly, Flame was first identified by Kapersky, a Russian company. In this age wherein the US Government has a cyber-warfare division, it seems as though a large amount of the interesting, practical work in Computer Security is moving to Russia.
Re:This is Actually an Interesting Trend... (Score:4, Insightful)
Well since most of the interesting, practical work in Computer Insecurity is there as well, it makes sense.
Re: (Score:1)
Most interesting, practical work in Computer Insecurity... Do you mean Stuxnet, Flame, Duqu?
Re: (Score:2)
Re: (Score:2)
Yes, that's what I was implying. This also means it is important to have American antivirus companies around too, because there is a lot of cybercrime in Russia.
Re: (Score:2)
Soooo... we are operating on the principle of "He who smelt it, dealt it" in foreign policy now?
What is broken? the reader or the specs? (Score:5, Insightful)
High time people stop using the Adobe pdf reader, and disable the "active hyperlinks" in it if it cant be fully uninstalled. Just in case some malware manages to trick the browser into using the installed adobe reader overriding the preference to foxit reader.
Re: (Score:3)
Foxit has its vulnerabilities too, although it helps that it isn't as commonly used.
While I do resort to Evince and if absolutely necessary, Adobe (usually just for some work form PDF), I've found that most of the time I can get by with the new PDF.js functionality in Firefox.
http://hackademix.net/2011/12/07/hulk-want-pdfjs/ [hackademix.net]
https://github.com/mozilla/pdf.js/ [github.com]
PDF.js plays nice w/ NoScript these days btw. It used to require whitelisting the site (ugh).
Re: (Score:2)
Adobe Reader and Flash were previously the largest attack vectors...Java is by far #1 and has been for the last few years. Since Sun/Oracle states "Java Runs on 3 Billion Devices" and that a large chunk of those devices will never or rarely see a patch, it has been a HUGE painted target lately.
Re: (Score:3)
Adobe Reader and Flash were previously the largest attack vectors...Java is by far #1 and has been for the last few years. Since Sun/Oracle states "Java Runs on 3 Billion Devices" and that a large chunk of those devices will never or rarely see a patch, it has been a HUGE painted target lately.
Virtually all of those attacks are aimed at the code that integrates a Java runtime with a browser, as that's an extremely exposed part of the ecosystem. The plain old JRE is nowhere near as easy to attack (unless someone's running a moronic program, of course, but you can do that in any programming language except for ones you wouldn't use for anything serious at all) as it simply doesn't normally listen to the outside world. Other routes for doing Java things from a browser also tend to give me the willie
Re: (Score:2)
When 2.5 billion of those devices are dumb phones, no one cares if they're attacked.
Re: (Score:1)
I'm also wondering if Mac OS X and Preview are at risks, but as far as I know they're too "basic", i.e. dumb viewer only with no javascript and crap, so I'm guessing they're safer.
Re: (Score:2)
But I learnt that some of the security holes are actually in the pdf spec itself, and whatever $reader you are using, if it is faithful to the specs, the vulnerability will exist.
I'd be interested to see more details on this. What part of the spec is broken? It also seems to contradict common experience: the overwhelming majority of exploits are Adobe Reader-only, and don't affect other PDF readers at all. Do these other readers just not follow the spec? Is there something in there ordering that Flash/Ja
but wait, it gets worse (Score:5, Insightful)
Re: (Score:1)
businesses that are smart stick with their own proprietary formats.
Yes, Stallman has been campaigning for people to do this for years.
Re: (Score:2)
It gets worse than that my friend. Reader X supports unsigned and unsandboxed flash embedded!
So your browser will simply run it and run whatever code from an infected ad server without even your AV software being able to detect nor stop it before its too late.
Someone needs to be fired over that. Oh wait Adobe outsourced the team to India. What could possibly go wrong??
Get Foxit
Thing I've wondered about with exploit sales... (Score:1)
How does the person paying $50,000 know he'll receive a working exploit and not, say, a .rar of the shareware version of Jill of the Jungle?
Re: (Score:2)
Foxit people! (Score:1)
Adobe products are a security nightmare. It is 8 years behind even IE and XP! Just recently started signing apps? Just added a cutting edge feature called a sandbox a few months ago. Auto updates added just this year?? IE 7 had all of these.
No wonder hackers exploit this. It is a convenient way to byepass modern browser security that works across all platforms. No longer is it the case that using Firefox and going on familiar websites made you invincible. Just have unupdated flash or reader and BAM instant
Re: (Score:2, Informative)
I don't get it why people just go half the way from Acrobat to Foxit. Sumatra is Open Source, small, fast and, so far hasn't failed me for any PDFs I've tried (admittedly none were of the stupid javascript online validating form crap variety).
Every IT pro should know about Sumatra.
Re: (Score:2)
I've tried Sumatra. Overall I like it, but I wish there was some way to get rid of the horrid yellow background. (Admittedly, you only see this if you don't have a document open.) Also, I do prefer Adobe Reader's choice of hand, text selector, and marquee zoom to Sumatra's method of only letting you use the hand if you're off the main page. And text rendering isn't quite as good in Sumatra, though that's due to the fact that it doesn't use the hacks that regular Windows text rendering does to look good on l
Re: (Score:3)
You can change the yellow background using the -bg-color command line argument. For example: "C:\Program Files (x86)\SumatraPDF\SumatraPDF.exe" -bg-color 0x444444
It's described in the manual here [kowalczyk.info].
Re: (Score:1)
I have not used Sumatra. I think fighting over between the 2 is silly like fighting over Firefox or Chrome when IE is still at 6.
I use Foxit because I am used to it. I ditched reader early last year and I needed something compatible with most PDFs and at the time FoxIT had broader compatibility. Yes Foxit does have javascript support which can be a security risk but it will not execute it without your permission first. Also the javascript is sandboxed too and you have to click an option to turn all of it on
Way more complex than needed (Score:1)