Yet Another Adobe Bug

Nothing much but YES to agree with Didier Stevens with his statement:

PDF + JS = OMG

Yerp.. there is another vulnerability (CVE-2009-3459) in Adobe Reader and Acrobat today (GMT +8) and so far it is still 0 day..

*panic panic* What to do?

  1. Disable JavaScript support in Adobe Reader and Acrobat
  2. Enable DEP (for Windows)
  3. Use NoScript
  4. Use alternative PDF reader like Foxit, Gnome Document Viewer, yada yada..
  5. Don’t be a lame by opening unknown PDF attachment

Research shows that 80% of Web users running unpatched versions of Flash/Acrobat

According to a research published by Trusteer earlier this month, 79.5% of the 2.5 million users of their Rapport security service run a vulnerable version of Adobe Flash, with 83.5% also running a vulnerable version of Acrobat.

The company has also criticized Adobe by insisting that their update mechanism “does not meet the requirements of a system that is used by 99% of users on the Internet and is highly targeted by criminals“, but is praising the update mechanism of Google’s Chrome and Firefox, whose silent updates close the window of opportunity for malicious attackers to take advantage of.

[Read more HERE]

More and More Exploits are Now Targeting Clientside & Mobile


[img source]

(The facts that I’m gonna talk about are based on my observations)

Back in mid 2007, Mass SQL injection that contain malicious JavaScript started to bring havoc the our cyberspace. But it brought not enough impact to alert and educate the internet user.. Until mid 2008 where another flood of Mass SQL injection happened attacking MS SQL and not so long after that people cant stop talking about 0day in IE, follow by Adobe Flash Player, Adobe Acrobat Reader, Mozilla Firefox and etc..

This clearly shows that the attacking vector is now somehow changed into the client side. This is due to the number of victim on the client side is way more compare to on the server side. Normally the mission of this kind of attack is to force the vulnerable application to crash and execute arbitrary code usually used to download another malicious file and execute it (drive by download). The victim (client) is now part of the attacker’s botnet. Awuuuooo0… (That is how the botnet sound alike.. Hahahaha)

Now in 2009, more and more client side attacks appear abusing IE, Firefox, Thunderbird, Adobe Acrobat Reader, Adobe Flash Player, Microsoft Office Power Point, Microsoft Office Excel, Google Chrome, Apple QuickTime, Foxit PDF Reader, Sun Java Runtime Environment, Adobe Shockwave Player, ActiveX and etc.. The attackers are also aware of the current world issues and trends. That is why we can see some events like H1n1, death of Michael Jackson, independent day, April Fool and many more events have been abuse by the attacker to phish for their victim.

Lately, within thin 2 months, a few mobile phone vulnerabilities have been found. iPhone, Symbian and Windows Mobile were hooked in these exploits. The attackers not only manage to get sensitive data/info from the mobile device, they also able to take control of the mobile device, and from the recent cases, victim’s mobile phones have been used to send spam SMS, MMS and also Email and at the same time, the SMS, MMS and email sent, work as an agent to ‘invite’ more device to be part of the ‘mobile botnet’ society. Awuuuooo0…

Till next time..

P/S: I am writing this entry while I’m working on my presentation slide for next week presentation in one of the organization of standardization and quality. So, I think these issues need to be highlighted as well in my slides. Beside of trends, the impact also need to be highlighted and ‘how bad is the impact could be’ should also be in part of the slide. The after discussing about the trend and impact, please make this as a habit which is to discuss on the prevention and the mitigation part as well. This is important because leaving the presentation stage without prevention or mitigation steps will create FUD to the audience and this is totally not a good practice!

Go to top