funsec mailing list archives
Re: Adobe 0-day in the wild
From: nick hatch <nicholas.hatch () gmail com>
Date: Tue, 24 Feb 2009 12:46:34 -0800
On Tue, Feb 24, 2009 at 2:26 AM, Juha-Matti Laurio < juha-matti.laurio () netti fi> wrote:
It appears that the first Milw0rm PoC is surely related to JBIG2, US-CERT's http://www.kb.cert.org/vuls/id/905281 points to Milw0rm's #8090.
Indeed. Shadowserver's 2009.2.21 post ( http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090221) confirms this: We knew it would not take too long -- the details of the vulnerable function
and enough information to potentially recreate the exploit have now been published publicly. While we intentionally did not release these details, they are out there now
In the same post, they speculate that this exploit has been in active use since December or January. Matthew Watchinski, in a comment on Sourcefire's VRT blog confirms this: After re-scanning the zoo after the publishing of Exploit.DF-26,27,28
for ClamAv, the VRT located numerous samples dating as far back as January 2009.
That being said, can anyone confirm that Adobe 7 is vulnerable? My personal testing with the Milw0rm #8090 PoC seems to imply that its not. I get the message, "Insufficient data for an image" and Reader doesn't crash. The remainder of the PDF (minus the first page) displays just fine. However, Adobe mentions 7 in their advisory. Perhaps its exploitable, but the methodology is slightly different? Checkfree was hacked in Dec '08 [1] (DNS redirect sending users to a malicious site), and although it was not commonly reported in the press at the time, I was told by a company rep that the redirect was to a malicious PDF file. In hindsight, it seems that this might have been the same exploit we're dealing with now. -Nick [1] http://voices.washingtonpost.com/securityfix/2008/12/hackers_hijacked_large_e-bill.html?hpid=sec-tech
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: Adobe 0-day in the wild, (continued)
- Re: Adobe 0-day in the wild nick hatch (Feb 23)
- Re: Adobe 0-day in the wild Dragos Ruiu (Feb 23)
- Re: Adobe 0-day in the wild Charles Miller (Feb 23)
- Re: Adobe 0-day in the wild nick hatch (Feb 23)
- Re: Adobe 0-day in the wild Dragos Ruiu (Feb 23)
- Re: Adobe 0-day in the wild rackow (Feb 21)
- Re: Adobe 0-day in the wild Jon Kibler (Feb 24)
- Re: Adobe 0-day in the wild nick hatch (Feb 24)