By Dancho Danchev
According to the latest prenotification security advisory from Adobe, next week, the company plans to issue a ‘security update’ for Adobe Reader X (10.1.2) running on Windows, Linux and Macintosh.
Adobe’s products are under permanent fire from malicious cybercriminals, exploiting known vulnerabilities in Adobe’s products, who succeed, primarily relying on the fact that end and corporate users are not patching in a timely manner.
More details:
By Dancho Danchev
Last week Adobe released the APSB12-17 Flash Player update. The update patches two critical security flaws — CVE-2012-0772 and CVE-2012-0773 – in the Adobe Flash player, and also, for the first time ever, introduces auto-patching mechanism. The update affects the following operating systems - Windows, Mac OS X, Linux and Solaris.
More details:
by Dancho Danchev
As part of its quarterly patch update, today Adobe issued a critical security update plugging multiple security holes in its Acrobat Reader, and Adobe Acrobat software applications.
More details:
By Mike Johnson
Several weeks back, I was presented with a group of snapshots from an active BlackHole Exploit Kit 1.2 Control Panel.
As with other toolkits I’ve seen in the wild, this one has all the makings of some real bad medicine. The authors have yet again gone to the trouble of making this toolkit incredibly easy to use and widely available for a price. Just a little unsavory web hosting in a country with few or no diplomatic relations and off to the races they go.
It appears this toolkit is configurable in both Russian and English, making one wonder its true origins.
I’ve slowly tracked URLs accompanying this toolkit and watched it dish out some very widely undetected malware, such as:
Information Stealing/Banking Trojans:
SpyEye
Zeus
Carberp
Mebroot Rootkit
Another more popular rootkit we’re seeing very widely on the Webroot realtime watch is: vSirefef.B/Zero-Access.
BlackHole toolkit preys on only two items in a user’s machine:
1) Unpatched operating system exploits
2) Internet browsers, add-in and plugin exploits such as Adobe and Java Software
Here are some of the known exploits the kit can execute on a victim’s machines.
Windows Operating Systems:
CVE-2010-1885 HCP (Microsoft Windows Help and Support Center in Windows XP and Windows Server 2003)
http://technet.microsoft.com/en-us/security/bulletin/MS10-042
CVE-2006-0003 IE MDAC
http://technet.microsoft.com/en-us/security/bulletin/ms06-014
Adobe Software:
CVE-2008-2992 Adobe Reader util.printf
CVE-2009-0927 Adobe Reader Collab GetIcon
CVE-2007-5659 Adobe Reader CollectEmailInfo
Java Software:
CVE-2009-1671 Java buffer overflows in the Deployment Toolkit ActiveX control in deploytk.dll
CVE-2010-0840 Java trusted Methods Chaining Remote Code Execution Vulnerability
CVE-2010-0842 Java JRE MixerSequencer Invalid Array Index Remote Code Execution Vulnerability
CVE-2010-0886 Java Unspecified vulnerability in the Java Deployment Toolkit component in Oracle Java SE
CVE-2010-1423 Java argument injection vulnerability in the URI handler in Java NPAPI plugin
The basic view the bot controller has is of the statistics page, which should indicate why I listed some of the expoits this toolkit is using. Not surprisingly, for as young as the kit is, you can see that both the Java and Adobe softwares are exploited far more than any others.
I’m sure some think they are safe using a browser other than Internet Explorer but it appears from this image there isn’t alot of difference in how this toolkit has behaved between the three browsers it’s touched.
As the authors have made this toolkit easy to use, they have also made it easy to maintain a low detection rate on the binaries by using an antivirus scanning service which does not share any binaries collected with the AV industry.
The easy-to-read statistics page make it simple for the controller to view and monitor how well or poor the current bot is doing – how many operating systems it’s infected, what type of operating systems were infected, and in which countries they’re located.
