ESET Threat Blog

This is a quick follow-up to the earlier blog about Adobe updates.

I’ve just received notification that the Adobe Flash Player updates bulletin released yesterday has been updated: it now contains information about (and links to) the promised Adobe Reader and Acrobat patches.

Adobe states that it categorizes these updates as critical and recommends that you apply the patches (as indeed do I).

 The update for Adobe Flash Player v9 and v10 for Solaris is still pending, and there’s no indication of time scale on that for the present.

The next quarterly security update for Adobe Reader and Acrobat has now been rescheduled for Tuesday, October 13.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

I’d like to call your attention (again) to a major Adobe bulletin that was released yesterday (actually, still today, if you’re far enough behind GMT, but I’m sitting just a train ride away from Greenwich, UK).

In brief, the bulletin concerns the following CVE (Common Vulnerabilities and Exposures) issues:

• CVE-2009-1862
• CVE-2009-0901
• CVE-2009-2395
• CVE-2009-2493
• CVE-2009-1863
• CVE-2009-1864
• CVE-2009-1865
• CVE-2009-1866
• CVE-2009-1867
• CVE-2009-1868
• CVE-2009-1869
• CVE-2009-1870

Adobe categorizes the issues concerned as critical, and recommends:

• That users of Adobe Flash Player 9.x and 10.x and earlier versions update to Adobe Flash Player 9.0.246.0 and 10.0.32.18. 
• That users of Adobe AIR version 1.5.1 and earlier versions update to Adobe AIR 1.5.2.

Among other issues, the update for Adobe Flash Player provides remediation for the vulnerabilities in the Microsoft Active Template Library (ATL) described in Microsoft Security Advisory 973882:

An update is also promised for Adobe Reader and Acrobat v9.1.2 for Windows, Macintosh and UNIX by today.

As Graham Cluley rightly points out in his blog on the same topic, Adobe has become almost the target of choice among black hats recently. (No, I haven’t got notification from Adobe yet: a good job I read other blogs, isn’t it?)

Perhaps even more significant, though, is the interdependency between applications demonstrated here. In a complex operating environment like Windows, it isn’t always practical to consider applications in isolation from each other: the ATL vulnerabilities highlighted at Blackhat affect both Adobe and Microsoft applications, and while the Flash Player update is a Good Thing, you also need the Microsoft update described here. While AV vendors are detecting some vulnerabilities proactively, you shouldn’t rely on AV detection alone, as exploits can sometimes be tweaked so as to evade detection by specific products.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Wow, talk about burying your head in the sand. One day Apple will learn, but that day is not today.

In an article at http://arstechnica.com/apple/news/2009/07/apple-claims-jailbreaking-could-bring-down-the-network.ars Apple claimes that “jailbreaking” iphones may cause their towers to crash.

The purpose in this claim is to avoid security at all costs and try to get the government to attack citizens rather than actually protect their assets.

Anything that a normal user with jailbreak software can do, a skilled hacker with intent can do better.

Apple needs to adopt a stance of both security and honesty.

Randy Abrams
Director of Technical Education

You probably aren’t looking for trouble, but there’s a good chance you’ll find it when you search the internet. An article in Information Week http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=218700239&cid=RSSfeed_IWK_All it was reported that the bad guys are trying to make sure their bad web pages come up when you search common terms on the internet. In this case the article is specific to Google, but your best bet is that this is being done for all major search engines.

The logic is quite simple. Businesses try to make it so that when you search for anything, their advertisement or web site will appear. The people behind the malicious software are in business.

Be careful when you click on the links to web sites that come up in searches. Often times you can make a pretty good guess as to whether or not the web site is relevant from the URL. It helps to understand URLs and learning a bit about them can make your browsing experience much safer.

Randy Abrams
Director of Technical Education

Yes, it is true. Airbags in cars save a whole bunch more lives than they end of costing, but sometimes, on rare occasions, they may take a life that otherwise would have been saved. Almost anyone, except the airbag instigators of the story, below understand the trade offs.

The TechnologyBUFOON.com, I mean Technologyreview.com published the following irresponsible headline with an obviously un-researched story.

Researcher: Update and You’re Owned

http://www.technologyreview.com/blog/unsafebits/23904/?nlid=2211

The premise is that many companies update their products using the http, rather than the https protocol. HTTPS is about encryption AKA privacy, not security.

There are attacks against https as well as http. It doesn’t matter what gets downloaded if it is not executed.

If a program requires a cryptographically strong signature before it executes the file then it is far more secure than a program relying only upon https for a sense of false security.

You are magnitudes more likely to get “owned” for not updating than for using a program that updates via http, rather than https.

Shame on TechnologyReview for such an irresponsible headline.

Randy Abrams
Director of Technical Education

Adobe has issued an important announcement, much of it relating to the impact of vulnerabilities in the Microsoft Active Template Library (ATL)  flagged as CVE-2009-0901, CVE-2009-2395, CVE-2009-2493 and described in Microsoft Security Advisory (973882) on Adobe products used as Internet Explorer plug-ins. 

It appears that Flash Player and Shockwave Player "leverage" vulnerable versions of ATL.

According to Adobe, the Adobe Reader browser plug-in for Internet Explorer, Connect Pro, Flash Lite for mobile devices, LiveCycle SAP Forms and other products are not subject to the above vulnerabilities. Flash Player within Firefox and other browsers (apart from IE) do not share the vulnerabilities, and nor do Flash Player and Shockwave Player on Macintosh, Linux and Solaris.

The latest version of Shockwave Player, which is now available for download (http://get.adobe.com/shockwave), has been patched. The Flash Player vulnerability will be patched in the update due on July 30, 2009.

Sensibly, Adobe recommend the installation of the MS09-034 security update, which provides mitigation against the vulnerabilities in the relevant versions of ATL.

No, nothing to do with drive-by downloads…

Our colleagues in Europe came up with a nice idea: an article on the dangers of web surfing on free wi-fi and some tips on staying safe. (A topic dear to the hearts of all of us who find ourselves out and about with our laptops from time to time, though I usually find myself sitting in airports and hotels rather than in parks or by city fountains. Ah well…)

I’m sure I don’t have to tell you that wi-fi is intrinsically not, in general, as safe as wired connections (and no, you shouldn’t assume that a wired connection is safe: there may be such a thing as a free lunch – I had one myself last week (thank you, AMTSO!) - but safe networks are another matter). So ESET have come up with a few tips on precautions that you can take to make your summer surfing experience a little safer, though most of them aren’t particularly unique to using wi-fi.

1. Keep your system and applications updated. Of course, you should be doing this all the time anyway, not just in order to feel safe when you’re browsing in the park. And talking of browsers, while there are plenty of malicious sites that use drive-by browser exploits, don’t forget that a lot of current malware reaches its target via PDFs, Microsoft Office documents and so on. Which means that you need to keep applications like Adobe Reader and Office up-to-date with patches. Fortunately, the big players in those sectors, like Microsoft, Adobe, and indeed Apple and Linux, are getting better at making it hard to avoid updating than it is to update
2. Change your passwords frequently: painful though most of us find this, it does limit the extent to which your systems are exposed if something does get through.
3. Use different passwords for different accounts and resources, so that if one does leak, it doesn’t mean that an attacker has access to everything you own and every service you access.
4. Use strong passwords or passphrases – a combination of upper and lower-case letters, numbers, and other characters. There’s a document I put together some years ago on selecting passwords here (actually, there are lots of good resources on the Saving Our eCity website: see the link at the end of this blog). There’s also a more recent document by Randy and myself due to appear shortly on the white papers page (also linked below). 
5. Create a specific user profile for public surfing. Don’t use your current profile, especially if it has administrator rights. Using a profile that doesn’t have administrator privileges is likely to restrict the amount of damage an attacker can do if he does get access to your system. 
6. Back up your data before you take your laptop out. Then, if your laptop is stolen or damaged, then you won’t have lost all that information (though you should still change passwords straightaway if the PC is lost. We can all take a lesson from this: when I was mugged in Windhoek last year, I was able to replace all the kit that was stolen, but it was only a matter of luck that I wasn’t carrying my laptop: if that had been gone, I would have lost some data, and it could have set me back many months. 
7. Make sure you your security software is updated regularly and automatically, but don’t assume it will protect you from everything. Wi-fi is inherently insecure and you need to use common sense as well.
8. The guys in Europe quote Pierre-Marc on the subject of Man-In-The-Middle (MITM) attacks: "If someone else is on the network, he can modify network traffic and let you think you are dealing with your bank while, in reality, you are sending him all your credentials."
9. WEP encryption, as used on many Wi-Fi networks, is weak and easy to crack: later protocols (WPA and, better, WPA2 are better, but you shouldn’t assume that they’ll protect you from all kinds of attacks.
10. I’d always recommend disabling the sharing of files or folders, but it’s not just the settings on your computer that can save you from the hacker’s grasp, but you also need to take care which sites you surf. Wherever possible, avoid connecting to websites that involve the transfer of sensitive information, such as online banking and if you must access webmail, use the HTTPS option. Also, make sure your browser and supplementary and helper applications such as Flash and Adobe Reader are kept fully patched, if you must use them, given all the Adobe exploits around at the moment.

I’ve been up to my ears in travelling and AMTSO and had limited connectivity over the last week, but even I noticed that a lot of patching issues have risen to the surface in the past few days. In case some of this has passed you by, here are a few of the more prominent issues.

Perhaps the issue with the highest profile are the imminent out-of-band patches announced by Microsoft for release tomorrow (Tuesday 28th July). Developers will want to be aware of the bulletin relating to the Visual Studio range, as well as some major updates to Internet Explorer which will (or should!) concern everyone. The fact that Microsoft has suddenly inserted these updates without waiting for the next Patch Tuesday is a clear indication that there are vulnerabilities here that the company is taking very seriously. And Microsoft is not known for overemphasis when it comes to patch issues: if it is taking a patch seriously, the rest of us should, too.

As Heise have pointed out, it’s very likely that a certain Black Hat presentation has a very specific impact on the sudden perception of the importance of this issue.

In the meantime, Adobe have published some notes on mitigation of a "Local Privilege Escalation in Adobe Reader Installer", hard on the heels of a Flash vulnerability described in some detail by the Internet Storm Center. Adobe have promised mitigation around the end of the month.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

I received an email from an acquaintance this morning. It said:

Please Urgent Needed

Hello,
  How are you doing?hope all is well, I"m sorry that i didn’t inform you about my traveling to England for a Seminar.I need a favor from you as soon as you receive this e-mail because i misplaced my wallet on my way to the hotel where my money is and other valuable things were kept, i will like you to assist me with a  loan urgently. I will be needing the sum of $2,500 to sort-out my hotel bills and get myself back home.I will appreciate whatever you can afford to help me with,I will pay you back as soon as i return. Kindly let me know if you can be of help? so that i can send you the details.
 
Any asistant you can offer will be greatly appreciated
 
Lynda

If you google “I"m sorry that i didn’t inform you about my traveling to England for a Seminar.” You will instantly find this is a scam involving a hijacked email account. I emailed Hotmail at 3:11 AM PDT. I also responded to “Lynda”. At 9:13 AM I received an email from the attacker, posing as Lynda thanking me and asking me to send the money through Western Union. Hotmail has yet to take action. Yeah, I know not to send the money, but I don’t know about Lynda’s other friends.

The delay by Hotmail may allow this attacker to victimize Lynda’s friends. I would contact Lynda myself,  but I only have her hotmail address.

If you ever receive a request for help in email, call your friend on the phone first!

Randy Abrams
Director of Technical Education

Do you ever use a public computer? Do you realize that potentially everything you type and read may be public information?

I was checking a hotel business center computer this weekend. I found some interesting stuff. A military document for a local air force base. It wasn’t classified. The confidential test results for a semi-synthetic lubricant, the sales figures for a medical supplier and an aircraft flight log. On the personal side I found a Yahoo email message with a purchase confirmation that included the person’s name, address, email address, a link to their online purchase account and what they bought. There was a letter to “one of the other women”. A picture of a cute young girl she took with her cell phone in a fitting room was amusing. At least she was fully clothed.

When you use a business center computer, a library computer, or any public computer it is safest to assume that all you type and read is public information. For that reason I never use such computers for banking, email, VPN access, or anything with a password.

Anything you do on a public computer is everybody’s business!

Randy Abrams
Director of Technical Education