Events

Adobe September 2011 Patch Release

In addition to today’s Microsoft updates, users of Adobe’s Reader and Acrobat software on both Windows and Apple systems need to update their software ASAP. Adobe released Bulletin APSB11-24, addressing at least thirteen memory corruption flaws, and several privilege escalation, logic flaw, and bypass issues.

In today’s earlier post about Microsoft’s patched vulnerabilities, Excel was highlighted as the target of choice in many targeted attacks. Along those lines, Adobe’s Reader and Flash are among the most commonly exploited software applications that are attacked by professional attackers.

I hope by now, if you installed Adobe’s pdf reader on your system, that you are using their newest version of the product, Reader X. It includes some fantastic sandboxing security functionality. But even this layer of security is not the perfect solution, as a vulnerability in it is being patched this month. Reader X sandbox attack 0day was even publicly demonstrated at Blackhat presentation “Playing In The Reader X Sandbox” a month ago. But it is a great layer of security and a great step forward for Adobe’s security team. To manually update Reader X, you can open “Reader X -> Help -> Check for Updates” and follow the instructions to download and install the updates from there.

Much like the Microsoft vulnerabilities, most of the issues are heap overflow based. But unlike most of the publicly described Microsoft vulnerabilities, these Adobe flaws continue to include a list of five stack overflow vulnerabilities. For a software vendor with a massive install base like Reader’s, this performance is just poor. Automated auditing tools for detecting stack overflow issues and focusing efforts to fix them have been available and enhanced for years now to organize and direct necessary code cleanup efforts. The contrast underscores the huge advances that Microsoft has made auditing their own code in comparison to other vendors.

Also along the lines of today’s previous post, Reader is frequently an effectively exploited software in targeted attacks. It is abused in much larger volumes by exploit pack developers and operators. Not only should corporate users, including legal staff, top level executive and board staff, admin assistants, political activists and HR folks be highly sensitive to flaws in their Adobe Reader and Flash software, but home users are getting hit by this stuff daily too. On bad days, Adobe exploit preventions run into the hundreds of thousands due to implementation and distribution in the Blackhole Exploit Pack, Phoenix Exploit Pack, and the underground’s mastery of blackhat SEO and malvertizing techniques. Patch immediately.

Adobe September 2011 Patch Release

Your email address will not be published. Required fields are marked *

 

Reports

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox