Yesterday, Adobe released a Security Advisory warning about a vulnerability in Adobe Reader and Acrobat. Adobe rated this vulnerability "critical," because it may allow an attacker to execute code remotely and take control of an affected system. Adobe is currently working on a fix and planning to roll that fix out next week for the 9.x versions of its software for Windows. Because Adobe Reader X and Adobe Acrobat X have a sandboxing mechanism called Protected View, these versions will not allow code to be executed remotely. So for these newer X versions of the affected software, Adobe will issue a fix in its next quarterly update, currently scheduled for January 10, 2012. Adobe lists Protected View as a way to safeguard your system against this threat. Please be sure to use the X version of Adobe software and verify that Protected View is enabled. The Mitigations section of the Adobe Security Advisory explains how to do this for the X versions.

Websense Security Labs™ is aware of reports that this vulnerability has been used in the wild. We have updated our Advanced Classification Engine, ACE,  to help protect against and look for any other possible attacks in the wild.

This month, Microsoft issued 5 security bulletins covering 15 vulnerabilities in Excel and Windows. These updates are considered important rather than critical, as by the time of the patch there was no malicious code exploiting the vulnerabilities in the wild. Adobe also released a security bulletin patching 13 vulnerabilities in Acrobat Reader. Websense® Security Labs highly recommends applying the updates in order to avoid cyber criminals who may use these security holes for their malicious activities.

Arguably the most important bulletin is MS11-072, which targets five different vulnerabilities in Microsoft Office. An attacker could use any of these to execute arbitrary code on the computer with the same access rights as the user. This is a focus for any security researcher as hackers are constantly looking for newer ways to distribute their badware. Such issues are probably getting more and more headlines as Adobe's sandboxing system and regular security patches seem to be paying off, meaning an up-to-date system is much less prone to successful exploits by vulnerabilities in PDFs.

This does not mean, of course, that we will see no more vulnerabilities in Acrobat Reader. This Tuesday Adobe Issued a security bulletin too, fixing 13 vulnerability issues in their product. Each of the vulnerabilities could allow an attacker to execute a code on the host computer allowing them to take full control of it. This patch is rated as critical, therefore it is strongly recommended to apply it.

Also worth mentioning is that many companies have updated their DigiNotar certificates - Microsoft, Adobe, and even Mozilla Firefox issued the updates. Firefox even released an additional security patch targeting this issue. Please check that you have applied the latest updates so you are fully protected.

Is your organization using the latest Firefox 6 or Internet Explorer 9? Which one did you find more secure? Give us your thoughts in the comments.

Vulnerabilities patched by Microsoft on 13 September 2011:

MS11-070 WINS Local Elevation of Privilege Vulnerability (CVE-2011-1984)

MS11-071 Windows Components Insecure Library Loading Vulnerability (CVE-2011-1991)

MS11-072 Excel Use after Free WriteAV Vulnerability (CVE-2011-1986)

MS11-072 Excel Out of Bounds Array Indexing Vulnerability (CVE-2011-1987)

MS11-072 Excel Heap Corruption Vulnerability (CVE-2011-1988)

MS11-072 Excel Conditional Expression Parsing Vulnerability (CVE-2011-1989)

MS11-072 Excel Out of Bounds Array Indexing Vulnerability (CVE-2011-1990)

MS11-073 Office Component Insecure Library Loading Vulnerability (CVE-2011-1980)

MS11-073 Office Uninitialized Object Pointer Vulnerability (CVE-2011-1982)

MS11-074 XSS in SharePoint Calendar Vulnerability (CVE-2011-0653)

MS11-074 HTML Sanitization Vulnerability (CVE-2011-1252)

MS11-074 Editform Script Injection Vulnerability (CVE-2011-1890)

MS11-074 Contact Details Reflected XSS Vulnerability (CVE-2011-1891)

MS11-074 SharePoint Remote File Disclosure Vulnerability (CVE-2011-1892)

MS11-074 SharePoint XSS Vulnerability (CVE-2011-1893)

Vulnerabilities patched by Adobe on 13 September 2011:

Local privilege-escalation vulnerability (Adobe Reader X (10.x) on Windows only) (CVE-2011-1353).

Security bypass vulnerability that could lead to code execution (CVE-2011-2431).

Buffer overflow vulnerability in the U3D TIFF Resource that could lead to code execution (CVE-2011-2432).

Heap overflow vulnerability that could lead to code execution (CVE-2011-2433).

Heap overflow vulnerability that could lead to code execution (CVE-2011-2434).

Buffer overflow vulnerability that could lead to code execution (CVE-2011-2435).

Heap overflow vulnerability in the Adobe image parsing library that could lead to code execution (CVE-2011-2436).

Heap overflow vulnerability that could lead to code execution (CVE-2011-2437).

Stack overflow vulnerabilities in the Adobe image parsing library that could lead to code execution (CVE-2011-2438).

Memory leakage condition vulnerability that could lead to code execution (CVE-2011-2439).

Use-after-free vulnerability that could lead to code execution (CVE-2011-2440).

Stack overflow vulnerabilities in the CoolType.dll library that could lead to code execution (CVE-2011-2441).

Logic error vulnerability that could lead to code execution (CVE-2011-2442).

Websense Security Labs and our ThreatSeeker Network are constantly monitoring for these threats occurring in the wild.

Earlier this week Adobe released security updates for several of their products and now the CVE-2011-2110 vulnerability in Flash Player is actively being used in drive-by and spear-phishing attacks. Websense customers are protected from this scam by ACE, our Advanced Classification Engine.

The vulnerability is triggered when a website is viewed in a browser that has the Adobe Flash Player plugin installed by a simple command that loads a malicious SWF file, as can be seen in this sample code as seen by the Websense ThreatSeeker® Network:

Technical details

We are still analyzing the vulnerability and how the exploit works but here's what we know. The exploit samples we've seen so far use heap information leakage, so that it doesn't have to spray the heap. Once the vulnerability is triggered, the transfer of execution from legitimate code to malicious code takes place when the stack pointer is replaced with EAX.

Once the stack has been compromised, it carries out the ROP portion of the attack to allocate an executable memory page for the second stage of the shellcode.

Once the shellcode has executed, it will try to download an encrypted binary file that's decrypted by an embedded ActionScript. The decrypted file is saved in the %TEMP% folder on the computer and then executed. Here's a VirusTotal link to one binary we saw used by one of the exploit files, but each exploit downloads a different file from a different server.

We also found an interesting debug string in one of the SWF files we looked at, which is a greeting to Rising, a Chinese antivirus company.

Below is a list of URLs where we've seen the exploit being hosted.

As always, it's crucial that you install the latest version of Adobe Flash Player as soon as possible if you haven't done so already. The vulnerable versions are any version older than 10.3.181.26. If you're unsure which version of Adobe Flash Player you have installed, you can find out by going to this link hosted at Adobe.

Our friends over at Shadowserver has posted some information about this vulnerability on their blog.

(Technical analysis done by Victor Chin)

Today Adobe announced a new 0-day vulnerability (CVE-2011-0611) in Adobe Flash Player and Adobe Acrobat that, similar to the previous 0-day from less than a month ago, was found embedded in a Microsoft Office file. The vulnerability allows an attacker to execute malicious code on a computer and has been spotted in limited targeted attacks. Websense customers are protected against the known samples that use this vulnerability.

Adobe says in their security advisory that Adobe Acrobat Reader X and its new Sandbox feature prevent the attack from exploiting the system when using PDF files. However, since the vulnerability exists in Flash, a machine can be exploited in other formats and applications that support flash, such as Web pages and Office documents.

The vulnerability has only been seen used in very limited targeted attacks. Here is a VirusTotal report (1/43) of one reported attack file.

Adobe hasn't announced when they will release a patched version of Adobe Flash and Adobe Reader/Acrobat but they did say that they won't fix this until June 14 in Adobe Reader X, as the Sandbox feature prevents the attack.

Websense® Security Labs™ has received reports of a new zero-day exploit that targets Adobe Flash Player (CVE-2011-0609). The vulnerability can potentially allow an attacker to execute malicious code on a targeted machine and has been spotted in a limited number of targeted attacks. The targeted attacks employed an Excel file with an embedded vulnerable Flash file (.swf) with the aim of executing unsolicited malicious code on the targeted machines.

The security advisory released by Adobe marks the vulnerability as "critical" and it affects all the latest versions of Adobe Flash Player. The vulnerability also exists in Adobe Acrobat Reader and Adobe Acrobat Reader X as the vulnerable DLL file "authplay.dll" is also shipped with those versions. However, Adobe Acrobat X can mitigate this kind of vulnerability from executing, thanks to its sandbox functionality - so in that respect, it's highly recommended to upgrade to that version if possible.

Adobe plans to patch this vulnerability with an update to Flash Player that will be available for all platforms on the 21st of March.

Currently, we're not seeing any wide-spread attacks in the wild that utilize this vulnerability, much of that is because the exploit details aren't publicly disclosed, but we're monitoring the situation and will keep you updated as related events unfold.

A new, potentially critical vulnerability in Adobe Acrobat Reader has come to our attention at Websense Security Labs. Quick analysis shows that malicious PDF documents invoke a function call to Doc.printSeps() to take advantage of the vulnerability. Proof of concept code plants shell code in memory using heap spraying to exploit the vulnerability.

Websense Security Labs is monitoring the situation, and we will update this blog post as we discover more. It is possible that malicious hackers could set up rigged Web sites or insert malicious code into legitimate, compromised sites to infect visitors. The vulnerability could be used for remote code execution, but we are still investigating these claims. Websense customers are protected by our ACE real-time analytics.

Adobe has published advice on how to avoid this vulnerability by blacklisting the vulnerable function call. The issue was unknown to Adobe PSIRT Team when Websense Security Labs informed them about it. Respecting their wish, we only disclosed the issue after their announcement. In the meantime, VUPEN also disclosed the issue.

In our test, Adobe Acrobat Reader crashed when the proof of concept document was loaded.

We will update this blog post with any interesting developments.

Update 09-Nov-2010:

The vulnerability is now registered as CVE-2010-4091 on mitre.org. Also Adobe mentions the issue in the security advisory as APSA10-05. There is still no proof if this vulnerability was exploited in the wild.

Websense® Security Labs™ has received reports of a new zero-day exploit that targets the Adobe Flash Player. Our customers are protected from this latest vulnerability by ACE, our Advanced Classification Engine.

The vulnerability can be delivered directly via a SWF file (Flash) or via a PDF file with an embedded Flash file object. An attack using the vulnerability with a PDF file has been spotted in the wild by Contiago Malware Dump (blog). 

Today Adobe issued a security advisory confirming the flaw and rating the vulnerability critical:

It has been a very busy past few months with respect to vulnerabilities in Adobe products. The upcoming Adobe Acrobat Reader version, dubbed Adobe Acrobat X, promises tightened security features, so hopefully the exploitation through Adobe's Reader will diminish. 

Adobe announced that they will release a patched version of Flash on November 9 and a fixed version of Adobe Reader the week of November 15.

We are keeping an eye on developments and will update further as events unfold.

Yesterday, Adobe unveiled the next version of its Acrobat software: Adobe Acrobat X. The version is set to hit the market within 30 days. Among other features, the version is going to include a very important security feature that will allow users to view documents safely within a sandbox environment, adding a layer of protection to the product. Until the new version is released, there will be a lot of talk about it, which presents an opportunity to cyber criminals.

"Piggybacking" software has been circulating for some time now, and the upcoming Adobe Acrobat X launch is a great opportunity for it to rear its ugly head again. The term "piggybacking software" refers to programs that use the reputation of popular free or paid software to sell the exact same software under false pretences (for example, by claiming that it has enhanced features), or to sell slightly different software with limited added functionality. In both cases, the software is presented in a misleading way as an updated version of the genuine software.

Piggybacking software is usually found on Web sites that:

1. Are very low reputation sites or template sites 

2. Use the original software brand name, themes, and colors

3. Present the same features the original free software or service

4. Sell the same features the original software or service offers, possibly adding very limited functionality

5. Spread through spam, Web spam, or proxy Web sites

6. Are not affiliated with the offered software or service, and have a limited refund policy, if any

The table shows an example of what is meant by low reputation. All the sites in the table below sell piggyback software. At some point, all of the sites shared the same IP address, registered for a relatively short period of time, used the same templates with various different names, and used the anonymous domain registrar "Domains By Proxy." You can see Adobe is a popular target, but there are also others:

This is how piggyback scams generally work: The entrepreneurs (criminals, to be more precise) establish a software Web site where they sell piggyback software. They take care of the site's design, payment processing, the availability of the Web site, etc. They want to "spread the word" about the new site and get revenue. This is where spammers come in. They form a relationship with the entrepreneurs to create spam linking to the new Web site for a cut of the sales. The entrepreneurs are more exposed, so they are also more cautious. They protect themselves with license and term of service agreements. So they delegate the distribution responsibilities to spammers, who take more aggressive approaches since they're more anonymous and not affiliated officially with the Web site. 

Here is an example of a very recent, related spam message. Note the subject, and where's it is from: 

Action Required : Upgrade Your New PDF Acrobat Reader

(Click on the images to see bigger versions)

Users that click the www.adobe-software-upgrade.com link are instantly redirected to the site below, pdf-new-2010-download.com. This is the entrepreneur site:

In the picture above you can see the user is also enticed with a "FREE OFFICE SUITE," which is another piece of widely-available free software. Clicking the download button redirect buyers to a a page that collects their email address, name, and location. Once those details are submitted, the buyer is redirected to the payment site secureonline.ru which is also part of the scam:

We have seen hundreds of thousands of these messages, and the spam campaign is still ongoing. You might think that after seeing hundreds of thousands of messages, the spamming affiliate might get blocked by its partner, but, similar spam messages are still being sent out. They just use different domains that lead to the entrepreneur site with the same affiliate ID. It's easy money. In this case, the 2-day-old domain www.adobe-acrobat-sofware.com is used:

Here are more visual examples of spammed piggyback software that profiteer from Skype (voip-online-access-now.com) and Google Earth (new-earth-online.com) respectively:

So who is the targeted in those kinds of scams? It isn't Joe Internet, who knows a thing or two about software. The ideal targets are novice Internet users--ideally the ones just starting to discover the Internet and its offerings.

While we might take the Internet for granted, not everyone does. Some are dazzled, and believe it's innocent and all good. This could come from misinformation or naivety, but a lot of us were that way when we started out. So the target market is always there, and the fact that these attacks have been going on for a long time means they pay off. So this is an opportunity to advise people with a little less Internet experience than us to be a bit more aware and add an extra pinch of suspicion and doubt to their online shopping activities.

Reflecting on the past few months, it has been very busy with zero-day flaws affecting popular products. Last Tuesday, Adobe issued a patch for the SING table parsing exploit that affects Adobe Acrobat and Reader (CVE-2010-2883). This patch has effectively patched a sixth critical zero-day in just four months, in what we consider to be highly exposed software.

This is also the place to remind you to update and patch the affected software. Since there were quite a few vulnerabilities to deal with, we decided to summarize them with a time line, just to give a bit of perspective on how unusually busy it has been recently.

Click on the image for a bigger version:

In total, those vulnerabilities accounted for 108 non-patch days - that's 88.5% of vulnerable time in those 4 months.

In case you haven't already done so, don't forget to update your software as soon as possible.

References to our alerts and analysis:

Adobe Flash and Acrobat Reader CVE-2010-1297: 1 2 3

Microsoft LNK vulnerability CVE-2010-2568: 1

Apple iOS JailbreakMe: 1 2

Apple Quicktime "_MARSHALED_PUNK_" CVE-2010-1818: 1 2

Adobe Acrobat Reader CVE-2010-2883: 1 2

Adobe Flash CVE-2010-2884: 1

Websense Security Labs are currently investigating reports of another in the wild 0-day vulnerability affecting Adobe products. Our customers are protected from this latest vulnerability by ACE, our Advanced Classification Engine.

Adobe announced in their Security Advisory APSA10-03 that Adobe Flash Player, Adobe Reader, and Adobe Acrobat are affected. This security advisory relates to CVE-2010-2884.

The vulnerability has been rated critical by Adobe.  If exploited, the malware author has the opportunity to execute code on the affected user's machine.

The following products are affected:

Adobe Flash Player 10.1.82.76 and earlier versions for:

• Windows
• Macintosh
• Linux
• Solaris

Adobe Flash Player 10.1.92.10 for:

• Android

Adobe Reader 9.3.4 for:

• Windows
• Macintosh
• UNIX

Also Adobe Acrobat 9.3.4 and earlier versions for:

• Windows
• Macintosh

The previous Security Advisory published by Adobe, CVE-2010-2883 affected only Adobe Reader and Adobe Acrobat.

As per our earlier tweets, Adobe are advising that they plan to patch the Flash Player vulnerability during the week commencing September 27, and have the aim of patching Adobe Reader/Acrobat the week after that.

We are keeping a close eye on developments and will be sure to update you further as events unfold.