Posts byJuha-Matti

Security consultant from Finland

Adobe 0-day vulnerability (CVE-2009-4324) – what this means?


SecuriTeam Blogs contains several FAQ documents about MS Office vulnerabilities used in targeted attacks since 2006. This time I’m not writing a FAQ. This document has answers to What this means type questions.

What an organization can make to protect?


#1 Disable JavaScript. Deploy a system to deliver this setting to all workstations. This is not the last Adobe 0-day which we will see.

What this means?

Go to Edit>Preferences menu, select item ‘JavaScript’, Uncheck “Enable Acrobat JavaScript” and to save the setting click ‘OK’.


#2 Enable DEP

Some Windows systems include Data Execution Prevention (DEP) functionality.

What this means?

If your organization is using Windows versions with DEP support the code execution can be avoided.

Adobe has confirmed these mitigation advices in security advisory APSA09-07, but as mentioned DEP method doesn’t fully prevent the exploitation.


#3 Do not open PDF documents from unknown sources AND received unexpectedly.

What this means?

If you don’t know the sender who is sending you file attachments there is always a risk that you are a victim of targeted attack. Remember that the sender can be easily spoofed as well.


#4 Switch to alternative PDF reader.

There are many free and commercial products. However, they are often affected by Adobe vulnerabilities too and a patching policy is needed when switching to another product.

What this means?

Changing the PDF reader in large organization is not an easy move. Today is a good day to start the planning project.

Let’s talk about technical details with some words. The vulnerability exists in Doc.media.newPlayer method. The Trojan in these attacks generated connections to http: // foruminspace dot com and http: // newsplaza dot net (these servers are located in Malaysia).

AV vendors use the following names when detecting the malicious PDF document:

Exploit.JS.Pdfka.atq (Kaspersky)

Exploit:W32/AdobeReader.UZ (F-Secure)

Exploit-PDF.ag (McAfee)

PDF/Pidief.NQ (CA)

Trojan.Pidief.H (Symantec)

TROJ_PIDIEF.PGS (Trend Micro)

Troj/PDFJs-FS (Sophos)

The size of the infected PDF document is 400,918 bytes. The file name varies, but it can be note200911.pdf, note_20091210.pdf or Outline of Interview.pdf.

And the winners of the oldest incident contest are…

Open Security Foundation’s DataLossDB has announced the winners of oldest incident contest.

One of the oldest documented issue is TRW incident from 1984, when the database of credit history of 90 million American citizen was breached.
Link here.

Update: The winner is an incident from August 1953, when SSN’s were lost.

The oldest vulnerability is known – let’s find the oldest data loss incident

The oldest documented vulnerability in computer security world is password file disclosure vulnerability from 1965, found by Mr. Ryan Russell.

Open Security Foundation – an organization behind OSVDB and DataLossDB has launched a competition to find the oldest documented data loss incident.

The last day to make a submission is next Friday – 15th May.
The link is easy to remember – datalossdb.org/oldest_incidents_contest.

Give me your fingerprints, I’ll sell you a mobile phone

There will be a new national register of mobile phone users in Mexico.

Under a new law published on Monday and due to be in force in April, mobile phone companies will have a year to build up a database of their clients, complete with fingerprints. The idea would be to match calls and messages to the phones’ owners.

(underlining added)

Mexico has a very strong culture of using prepaid phones.

OS X malware family has a new member: OSX.Lamzev.A

New Trojan horse for Mac environment has been discovered.

The Trojan is known as OSX.Lamzev.A by Symantec.

When it is executed it will create the file ezmal to the Applications folder (the name is Applications in localized installations too).

The names of earlier widely known OS X malware are Mac.Hovdy.a (June ’08), OSX.Exploit.Launchd (June ’06) and Leap.A (February ’06). When saying ‘widely known’ it doesn’t mean that they were widely spreaded.

I remember the exact number of 63 when talking about known Mac malware.

There are no worms for Apple – yet.

The victims of RPC Trojan Gimmiv were XP boxes in Asia

The RPC Worm Victim List has a list [.txt] of hundreds machines and they are mainly Windows XP machines (MSIE 6.0 or MSIE7.0; Windows NT 5.1 in browser’s user agent).

I made a script to generate WHOIS queries and the results say that the victim machines are located mainly in Australia, China, Philippines, India, Japan, Korea, Malta, Malaysia, Taiwan, and Vietnam. There are only some machines in France, UK, and USA.

It’s very interesting that there is an IP from Microsoft too – a Wget machine with IP address 64.147.0.80. The Wget version is 1.10.2.

Whois Record

OrgName: Microsoft Corp
OrgID: MSFT
Address: One Microsoft Way
City: Redmond
StateProv: WA
PostalCode: 98052
Country: US

NetRange: 131.107.0.0 – 131.107.255.255
CIDR: 131.107.0.0/16
NetName: MICROSOFT

There are several Wget UA’s included, one with the version number Wget/1.8.2 too.

I recommend that Redmon guys patch that machine ASAP 😉