50 replies to this topic

[AplusWebMaster]

FYI...

Hacks exploit Flash bug in new attacks against Gmail users
- http://www.computerw...nst_Gmail_users
June 6, 2011 - "Adobe today confirmed that the Flash Player bug it patched Sunday is being used to steal login credentials of Google's Gmail users... '... we cannot assume that other Web mail providers may not be targeted as well'..."

> http://forums.whatth...=...st&p=734520

Edited by AplusWebMaster, 06 June 2011 - 07:35 PM.

[AplusWebMaster]

FYI...

- http://secunia.com/advisories/44964/
Release Date: 2011-06-15 ... vulnerability is reportedly being actively exploited in targeted attacks... (Flash Player) 10.3.181.23 and earlier...
Solution: Apply updates... (10.3.181.26*)...

- http://www.securityt....com/id/1025651
Jun 14 2011 - CVE-2011-2110
... This vulnerability is being actively exploited via targeted web pages.
Impact: A remote user can create Flash content that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution: The vendor has issued a fix 10.3.181.26*...

* http://forums.whatth...=...st&p=736114

Edited by AplusWebMaster, 15 June 2011 - 10:33 AM.

[AplusWebMaster]

FYI...

Flash exploits on the loose...
- http://www.shadowser...lendar/20110617
17 June 2011 - "... earlier in the week Adobe issued multiple security updates, which included an update for Adobe Flash Player by way of APSB11-18. What you may not know is that the issue fixed by this update, CVE-2011-2110, is being exploited in the wild on a fairly large scale. In particular this exploit is showing up as a drive-by in several legitimate websites, including those belonging to various NGOs, aerospace companies, a Korean news site, an Indian Government website, and a Taiwanese University. The links are also being used in targeted spear phishing attacks designed to lure particular individuals into clicking the links with hopes of compromising their machines. In case there is any doubt at all, this is very bad. If you run a version of Adobe Flash that is -older- than 10.3.181.26 (or 10.3.181.24 for Android), then is is absolutely -critical- that you update your Flash Player. You can check your Flash version by clicking here*...
* http://kb2.adobe.com...5/tn_15507.html
... exploit takes advantage of a vulnerability in the ActionScript Virtual Machine. It then uses heap information leakage in order to avoid spraying the heap and crashing the process. The exploit is also able to bypass Window's data execution prevention (DEP)... We are aware of several sites in the wild that are either compromised and pointing to exploits or are actually housing the exploits themselves. In some cases a single site may be both compromised and housing the malicious download. Right now we only have a limited set of exploit sites we can share due to various restrictions...
Note: Do not visit these URLs as they are malicious and should be considered dangerous..."
(More detail and list at the shadowserver URL above.)

>> http://forums.whatth...=...st&p=736114

- http://web.nvd.nist....d=CVE-2011-2110
Last revised: 06/17/2011
CVSS v2 Base Score: 10.0 (HIGH)
"... before 10.3.181.26... as exploited in the wild..."
___

MMPC Telemetry on CVE-2011-2110 Attack Attempts during June 17 – 30, 2011
- http://www.microsoft.../BID593-004.png
1 Jul 2011
- http://blogs.technet...nerability.aspx
___

- http://www.malwaredo...rdpress/?p=1872
June 17th, 2011 in 0day, Domain News - "... Several domains containing mailicious payloads are listed. We’ll be adding these domains on the next update, but you should add the domains and IP addresses to your domain and ip blocklist ASAP."

Edited by AplusWebMaster, 02 July 2011 - 04:50 AM.

[AplusWebMaster]

FYI...

60% of Adobe Reader users unpatched...
- http://www.darkreadi...le/id/231001642
Jul 13, 2011 - "Six out of every 10 users of Adobe Reader are running unpatched versions of the program, leaving them vulnerable to a variety of malware attacks... In a study of its own antivirus users, Avast Software found that 60.2 percent of those with Adobe Reader were running a vulnerable version of the program... More than 80 percent of Avast users run a version of Adobe Reader... Brad Arkin, senior director of product security and privacy at Adobe, agreed with the Avast analysis. "We find that most consumers don’t bother updating a free app, such as Adobe Reader, as PDF files can be viewed in the older version," he said... Malware PDF exploit packages will typically look for a variety of security weaknesses in the targeted computer, attacking when an uncovered vulnerability is discovered..."

[AplusWebMaster]

FYI...

Adobe Reader - Unpatched in the Enterprise ...
- http://www.zscaler.c...-Web-2011Q2.pdf
Zscaler 2011-Q2 Report PDF pg. 12 - "... Adobe reader is installed in 83% of all enterprise browsers, and is out of date in 56% of those installations... the increasingly popular Blackhole Exploit kit includes a variety of payloads designed to target recent Adobe Reader vulnerabilities..."
August 10, 2011

Graphic: Out-of-date plugins
- http://i.zdnet.com/b...ser_plugins.png
August 9, 2011

- http://www.h-online....iew=zoom;zoom=1
16 August 2011

Edited by AplusWebMaster, 16 August 2011 - 07:05 PM.

[AplusWebMaster]

FYI...

Adobe Reader/Acrobat Security Advisory - APSA11-04
- http://www.adobe.com.../apsa11-04.html
December 6, 2011
Summary : A critical vulnerability has been identified in Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh, Adobe Reader 9.4.6 and earlier 9.x versions for UNIX, and Adobe Acrobat X (10.1.1) and earlier versions for Windows and Macintosh. This vulnerability (CVE-2011-2462) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that the vulnerability is being actively exploited in limited, targeted attacks in the wild against Adobe Reader 9.x on Windows. We are in the process of finalizing a fix for the issue and expect to make available an update for Adobe Reader 9.x and Acrobat 9.x for Windows no later than the week of December 12, 2011. Because Adobe Reader X Protected Mode and Adobe Acrobat X Protected View would prevent an exploit of this kind from executing, we are currently planning to address this issue in Adobe Reader X and Acrobat X for Windows with the next quarterly security update for Adobe Reader and Acrobat, currently scheduled for January 10, 2012. We are planning to address this issue in Adobe Reader and Acrobat X and earlier versions for Macintosh as part of the next quarterly update scheduled for January 10, 2012. An update to address this issue in Adobe Reader 9.x for UNIX is planned for January 10, 2012. For further context on this schedule, please see the corresponding ASSET blog* post."
* http://blogs.adobe.c...-2011-2462.html
December 6, 2011

- http://web.nvd.nist....d=CVE-2011-2462
Last revised: 12/08/2011
CVSS v2 Base Score: 10.0 (HIGH)
"... as exploited in the wild in December 2011..."

- http://h-online.com/-1391441
7 December 2011

Reader 0-day exploit in-the-wild...
- http://www.symantec....-exploited-wild
___

- http://www.securityt....com/id/1026376
Dec 6 2011
Impact: Execution of arbitrary code via network, User access via network
... A remote user can create a specially crafted PDF file that, when loaded by the target user, will trigger a memory corruption error and execute arbitrary code on the target system. The code will run with the privileges of the target user...

- https://secunia.com/advisories/47133/
Criticality level: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched
CVE Reference: CVE-2011-2462
Solution: Do not open untrusted PDF files. A fix is scheduled to be released for Adobe Reader and Acrobat 9.x for Windows in the week of December 12, 2011.
Provided and/or discovered by: Reported as a 0-day.
Original Advisory: http://www.adobe.com.../apsa11-04.html

Edited by AplusWebMaster, 11 December 2011 - 11:15 AM.

[AplusWebMaster]

FYI...

Flash Player 0-day vulns - unpatched
- http://www.securityt....com/id/1026392
Date: Dec 8 2011
Impact: Execution of arbitrary code via network, User access via network...
Version(s): 11.1.102.55 and prior versions
Description: Two vulnerabilities were reported in Adobe Flash Player. A remote user can cause arbitrary code to be executed on the target user's system...
Impact: A remote user can create Flash content that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution: No solution was available at the time of this entry.
___

- http://arstechnica.c...ware-vendor.ars
December 8, 2011 - "InteVyDis, a Russian firm specializing in packaging software security exploits, has released a software module that can give a remote computer access to an up-to-date Windows 7 machine running the most recent version of Adobe Flash Player 11..."
___

- http://web.nvd.nist....d=CVE-2011-4693
CVSS v2 Base Score: 9.3 (HIGH)
- http://web.nvd.nist....d=CVE-2011-4694
CVSS v2 Base Score: 9.3 (HIGH)
Original release date: 12/07/2011
Last revised: 12/13/2011

- https://isc.sans.edu...l?storyid=12166
Last Updated: 2011-12-08 21:52:32 UTC

- https://secunia.com/advisories/47161/
Release Date: 2011-12-08
Criticality level: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched
... vulnerability is reported in version 11.1.102.55. Other versions may also be affected.
Solution: Do not browse untrusted sites or disable the player.
Original Advisory:
- http://archives.neoh...11-q4/0081.html
Dec 06 2011 - "... bypasses DEP/ASLR and works on Win7/WinXP with FF, Chrome and IE..."

Oracle Solaris Adobe Flash Player...
- https://secunia.com/advisories/47180/
Release Date: 2011-12-09
Criticality level: Highly critical...

Edited by AplusWebMaster, 10 January 2012 - 04:19 PM.

[AplusWebMaster]

FYI...

- http://forums.whatth...=...st&p=763322
Dec. 16, 2011
___

- http://www.symantec....eatconlearn.jsp
Updated: Dec 21 - "... For the period of December 8, 2011 through December 20, 2011, Symantec intelligence products have detected a total of -780- attempted exploits of CVE-2011-2462*. Exercise extreme caution when opening PDF files from untrusted sources. Any email attachments received from unfamiliar senders or unexpectedly from known senders should be treated suspiciously. Email attachments are a common vector for targeted attacks using vulnerabilities of this kind..."
___

- https://www.adobe.co.../apsa11-04.html
Last updated: December 15, 2011 - "... We are in the process of finalizing a fix for the issue and expect to make available an update for Adobe Reader 9.x and Acrobat 9.x for Windows on December 16, 2011..."

* http://web.nvd.nist....d=CVE-2011-2462
Last revised: 12/21/2011
CVSS v2 Base Score: 10.0 (HIGH)
"... as exploited in the wild in December 2011..."

Edited by AplusWebMaster, 21 December 2011 - 07:55 AM.

[AplusWebMaster]

FYI...

Flash Player v11.1.102.62 update
- http://www.symantec....eatconlearn.jsp
Feb 24, 2012 - "On February 15, 2012, Adobe released a patch for Flash Player fixing vulnerabilities on all platforms. One of these is a cross-site scripting (XSS) vulnerability that is being exploited in the wild through links in emails (CVE-2012-0767*, BID 52040). A cross-site scripting vulnerability can allow an attacker to make HTTP requests masquerading as the affected user. Since this vulnerability was reported by Google, it is likely that it has been used in attempted attacks on Gmail accounts - similarly to the XSS vulnerability exploited in June 2011 to infiltrate victims' Gmail accounts (CVE-2011-2107). An attacker must entice a user into visiting a malicious link in the email to trigger the vulnerability. Customers are advised to install applicable updates as soon as possible.
Adobe Security Bulletin: Security update available for Adobe Flash Player ..."
http://forums.whatth...=...st&p=773578

* http://web.nvd.nist....d=CVE-2012-0767
Last revised: 02/25/2012 - "... before 10.3.183.15 and 11.x before 11.1.102.62 on Windows, Mac OS X, Linux, and Solaris; before 11.1.111.6 on Android 2.x and 3.x; and before 11.1.115.6 on Android 4.x... as exploited in the wild in February 2012"

Edited by AplusWebMaster, 25 February 2012 - 09:25 AM.

[AplusWebMaster]

FYI...

Flash exploit released...
- http://atlas.arbor.n...ndex#-957676977
Severity: Elevated Severity
Published: Thursday, March 08, 2012 20:33
An exploit for a month-old Adobe Flash vulnerability has been released to the public. Ensure systems are protected.
Analysis: This security vulnerability, patched on Feb 15th, was used in a targeted attack around March 5th
- http://contagiodump....ns-oil-and.html *
... and now a Metasploit module has been released to the public. Given the widespread install base of Flash, users are strongly encouraged to ensure that patching has taken place. Now that the code is public, it will likely be used in commodity exploit kits very soon to install malware."
* http://web.nvd.nist....d=CVE-2012-0754 - 10.0 (HIGH)

* https://www.virustot...5ca62/analysis/
File name: us.exe
Detection ratio: 27/43
Analysis date: 2012-03-07 16:19:36 UTC
* https://www.virustot...sis/1331313285/
File name: CVE-2012-0744-xls.swf
Detection ratio: 8/43
Analysis date: 2012-03-09 17:14:45 UTC
* https://www.virustot...3f4a4/analysis/
File name: 12e36f86ce54576cc38b2edfd13e3a5aa6c8d51c.bin
Detection ratio: 24/43
Analysis date: 2012-03-10 23:57:50 UTC

>> http://forums.whatth...=...st&p=776580

Edited by AplusWebMaster, 10 March 2012 - 09:30 PM.

[AplusWebMaster]

FYI...

Adobe PDF Reader 0-day in-the-wild ...
- https://krebsonsecur...r-adobe-reader/
Nov 7th, 2012 - "Software vendor Adobe says it is investigating claims that instructions for exploiting a previously unknown critical security hole in the latest versions of its widely-used PDF Reader software are being sold in the cybercriminal underground. The finding comes from malware analysts at Moscow-based forensics firm Group-IB, who say they’ve discovered that a new exploit capable of compromising the security of computers running Adobe X and XI (Adobe Reader 10 and 11) is being sold in the underground for up to $50,000. This is significant because — beginning with Reader X– Adobe introduced a “sandbox” feature aimed at blocking the exploitation of previously unidentified security holes in its software, and so far that protection has held its ground. But according to Andrey Komarov, Group-IB’s head of international projects, this vulnerability allows attackers to sidestep Reader’s sandbox protection...
> https://www.youtube....GF8VDBkK0M#t=0s
... Adobe spokeswoman Wiebke Lips said the company was not contacted by Group-IB, and is unable to verify their claims, given the limited amount of information currently available... Group-IB says the vulnerability is included in a new, custom version of the Blackhole Exploit Kit, a malicious software framework sold in the underground that is designed to be stitched into hacked Web sites and deploy malware via exploits such as this one... consumers should realize that there are several PDF reader option apart from Adobe’s, including Foxit, PDF-Xchange Viewer, Nitro PDF and Sumatra PDF*."
* http://blog.kowalczy...pdf-viewer.html
___

- http://h-online.com/-1746442
8 Nov 2012

Edited by AplusWebMaster, 08 November 2012 - 09:52 AM.

[AplusWebMaster]

FYI...

Shockwave player - vulnerable Flash runtime
* http://www.kb.cert.org/vuls/id/323161
Last revised: 17 Dec 2012 - "Adobe Shockwave Player 11.6.8.638 and earlier versions on the Windows and Macintosh operating systems provide a vulnerable version of the Flash runtime..."

- http://h-online.com/-1772754
19 Dec 2012 - "US-CERT has warned that a security hole exists in Adobe's Shockwave Player*. Version 11.6.8.638 and earlier versions that were installed using the company's "Full" installer are affected. These all include an older version of Flash (10.2.159.1) that contains several exploitable vulnerabilities. Shockwave uses a custom Flash runtime instead of a globally installed Flash plugin. According to US-CERT, the Flash vulnerabilities can be exploited to execute arbitrary code at the user's privilege level via specially crafted Shockwave content. As the Shockwave Player tends to be used only rarely, simply uninstalling the software can provide protection. Adobe is even offering an uninstaller** for this purpose..."
** https://www.adobe.co...oad/alternates/
(See "Shockwave Player Uninstaller".)

- https://krebsonsecur...-shockwave-bug/
Dec 19, 2012 - "... U.S. CERT first warned Adobe about the vulnerability in October 2010, and Adobe says it won’t be fixing it until February 2013..."

- http://www.securityt....com/id/1027903
- http://www.securityt....com/id/1027904
- http://www.securityt....com/id/1027905
Dec 20 2012

- https://web.nvd.nist...d=CVE-2012-6270 - 9.3 (HIGH)
- https://web.nvd.nist...d=CVE-2012-6271 - 9.3 (HIGH)

Edited by AplusWebMaster, 24 December 2012 - 09:48 AM.

[AplusWebMaster]

FYI...

Backdoor/phish targets...
- http://www.symantec....efense-industry
30 Jan 2013 - "... we observed a spear phishing campaign targeting groups in the aerospace and defense industry. We identified at least -12- different organizations targeted in this attack. These organizations include aviation, air traffic control, and government and defense contractors...
> https://www.symantec...s/Figure1_3.png
... The attackers used a report published in 2012 regarding the outlook of the aerospace and defense industries as the lure. The intention of the attackers was to make it seem as though this email originally came from the company that authored the report. The emails were also crafted to look as though they were being forwarded by internal employees or by individuals from within the industries identified. When the malicious PDF attached to the email is opened, it attempts to exploit the Adobe Flash Player CVE-2011-0611 'SWF' File Remote Memory Corruption Vulnerability.. If successful, it drops malicious files as well as a clean PDF file to keep the ruse going.
> https://www.symantec.../Figure2New.png
In addition to the clean PDF file, the threat drops a malicious version of the svchost.exe file. This file then drops a malicious version of ntshrui.dll into the Windows directory. The threat leverages a technique known as DLL search order hijacking (the ntshrui.dll file is not protected by KnownDLLs). When the svchost.exe file calls the explorer.exe file, it will load the malicious ntshrui.dll file in the Windows folder -instead- of the legitimate ntshrui.dll file in the Windows system directory. Symantec detects both the svchost.exe and ntshrui.dll files as Backdoor.Barkiofork. This version of Backdoor.Barikiofork has the following capabilities:
• Enumerates disk drives
• Contacts the command-and-control (C&C) server at osamu.update .ikwb .com *
• Steals system information
• Downloads and executes further updates
This spear phishing campaign continues to show the sophistication and preparation of attackers, especially gathering intelligence on what social engineering will best entice targets. Organizations should ensure proper email security is in place and also make patch management a priority, as the vulnerability exploited here was patched in 2011."
* 192.74.239.245 / https://www.google.c...c?site=AS:54600

[AplusWebMaster]

FYI...

- http://forums.whatth...=...st&p=813501
Feb 20, 2013
___

Adobe 0-day Reader/Acrobat exploit in-the-wild
- https://blogs.adobe....ity-report.html
Feb 12, 2013 - "Adobe is aware of a report of a vulnerability in Adobe Reader and Acrobat XI (11.0.1) and earlier versions being exploited in the wild. We are currently investigating this report and assessing the risk to our customers. We will provide an update as soon as we have more information. Please continue monitoring the Adobe PSIRT blog* for the latest information."
* http://blogs.adobe.com/psirt/

- https://secunia.com/advisories/52196/
Release Date: 2013-02-14
Criticality level: Extremely critical
Impact: System access
Where: From remote
Solution: No official solution is currently available.
... Reported as a 0-day.
Original Advisory:
- https://www.adobe.co.../apsa13-02.html
Last updated: Feb 16, 2013
CVE number: CVE-2013-0640, CVE-2013-0641
"... Mitigations: Users of Adobe Reader XI and Acrobat XI for Windows can protect themselves from this exploit by enabling Protected View. To enable this setting, choose the "Files from potentially unsafe locations" option under the Edit > Preferences > Security (Enhanced) menu. Enterprise administrators can protect Windows users across their organization by enabling Protected View in the registry and propagating that setting via GPO or any other method. Further information about enabling Protected View for the enterprise is available here:
> https://www.adobe.co...tectedview.html
... Adobe is in the process of working on fixes for these issues and plans to make available updates for Adobe Reader and Acrobat XI (11.0.01 and earlier) for Windows and Macintosh, X (10.1.5 and earlier) for Windows and Macintosh, 9.5.3 and earlier 9.x versions for Windows and Macintosh, and Adobe Reader 9.5.3 and earlier 9.x versions for Linux during the week of February 18, 2013..."

- http://arstechnica.c...-on-by-default/
Feb 14, 2013 - "... the "protected view" feature prevents the current attacks from working — but only if it's manually enabled. To turn it on, access Preferences > Security (Enhanced) and then check the "Files from potentially unsafe locations," or even the "All files" option. Then click OK.
There's also a way for administrators to enable protected view on Windows machines across their organization... It's unclear why protected view isn't turned on by default..."

>> http://www.f-secure....otectedView.png

- http://blog.fireeye....s-pdf-time.html
Feb 13, 2013 - "... we identified that a PDF zero-day is being exploited in the wild, and we observed successful exploitation on the latest Adobe PDF Reader 9.5.3, 10.1.5, and 11.0.1. Upon successful exploitation, it will drop two DLLs. The first DLL shows a fake error message and opens a decoy PDF document, which is usually common in targeted attacks. The second DLL in turn drops the callback component, which talks to a remote domain... we have been working with Adobe and have jointly agreed to refrain from posting the technical details of the zero-day at this time. This post was intended to serve as a warning to the general public..."

- http://www.f-secure....s/00002500.html
Feb 13, 2013 - "... Consider mitigating your Adobe Reader usage until there's an update from Adobe..."

- http://blog.trendmic...s-adobe-reader/
Feb 13, 2013 - "... Java, Internet Explorer, Adobe Flash Player, and now, Adobe Reader – just two months into 2013, we have already witnessed high-profile cases in which attackers used zero-day exploits to execute their schemes... To prevent this attack, we highly discourage users from opening unknown .PDF files or those acquired from unverified sources..."
___

ThreatCon is currently at Level 2: Elevated.
- https://www.symantec...eatconlearn.jsp
"... On February 7, 2013, Adobe released a patch for Adobe Flash Player. This release addresses CVE-2013-0633 (BID 57788) and CVE-2013-0634 (BID 57787), which are being actively exploited in the wild, distributed through malicious Word documents...
[superseded by APSB13-05: https://www.adobe.co.../apsb13-05.html
... Adobe Flash Player 11.6.602.168... February 12, 2013
CVE number: CVE-2013-1372, CVE-2013-0645, CVE-2013-1373, CVE-2013-1369, CVE-2013-1370, CVE-2013-1366, CVE-2013-0649, CVE-2013-1365, CVE-2013-1374, CVE-2013-1368, CVE-2013-0642, CVE-2013-0644, CVE-2013-0647, CVE-2013-1367, CVE-2013-0639, CVE-2013-0638, CVE-2013-0637
https://web.nvd.nist...r...ths&cves=on ...]"

Edited by AplusWebMaster, 20 February 2013 - 12:25 PM.

[AplusWebMaster]

FYI...

Flash exploit in-the-wild ...
- http://www.threattra...-cve-2014-0502/
Mar 21, 2014 - "... new exploit in the wild going after a known Adobe vulnerability... detected the file cc.swf delivered via the malicious link hxxp ://java-sky .com/swf/cc.swf**... Only 7/51 antivirus vendors on VirusTotal* detect the malicious payload at the time of this post..."

* https://www.virustot...9d87f/analysis/

** 50.62.99.1 - https://www.virustot....1/information/

- http://google.com/sa...c?site=AS:26496

- https://web.nvd.nist...d=CVE-2014-0502 - 10.0 (HIGH)

Latest Flash version 12.0.0.77
- http://forums.whatth...=93035&p=845247

Flash test site:
- http://www.adobe.com...re/flash/about/
 

 

Edited by AplusWebMaster, 22 March 2014 - 03:04 PM.