Re: Adobe 0-day in the wild

[nick hatch <nicholas.hatch () gmail com>]

On Tue, Feb 24, 2009 at 2:26 AM, Juha-Matti Laurio <
juha-matti.laurio () netti fi> wrote:

> It appears that the first Milw0rm PoC is surely related to JBIG2, US-CERT's
> http://www.kb.cert.org/vuls/id/905281
> points to Milw0rm's #8090.
Indeed. Shadowserver's 2009.2.21 post (
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090221) confirms
this:

We knew it would not take too long -- the details of the vulnerable function
> and enough information to potentially recreate the exploit have now been
> published publicly. While we intentionally did not release these details,
> they are out there now


In the same post, they speculate that this exploit has been in active use
since December or January. Matthew Watchinski, in a comment on Sourcefire's
VRT blog confirms this:

After re-scanning the zoo after the publishing of Exploit.DF-26,27,28
> for ClamAv, the VRT located numerous samples dating as far back as
> January 2009.


That being said, can anyone confirm that Adobe 7 is vulnerable? My personal
testing with the Milw0rm #8090 PoC seems to imply that its not. I get the
message, "Insufficient data for an image" and Reader doesn't crash. The
remainder of the PDF (minus the first page) displays just fine. However,
Adobe mentions 7 in their advisory. Perhaps its exploitable, but the
methodology is slightly different?

Checkfree was hacked in Dec '08 [1] (DNS redirect sending users to a
malicious site), and although it was not commonly reported in the press at
the time, I was told by a company rep that the redirect was to a malicious
PDF file. In hindsight, it seems that this might have been the same exploit
we're dealing with now.

-Nick

[1]
http://voices.washingtonpost.com/securityfix/2008/12/hackers_hijacked_large_e-bill.html?hpid=sec-tech

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.