Adobe Closes Security Holes In Adobe Reader & Acrobat 9.x

Zero day vulnerability in Adobe Acrobat Reader has been fixed. There have been reports of two critical vulnerabilities being actively exploited in limited, targeted attacks in the wild against Adobe Reader 9.x on Windows. These vulnerabilities (CVE-2011-2462, referenced in Security Advisory APSA11-04, and CVE-2011-4369) could cause a crash and potentially allow an attacker to take control of the affected system. 

While these vulnerabilities exist in Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh, Adobe Reader 9.4.6 and earlier 9.x versions for UNIX, and Adobe Acrobat X (10.1.1) and earlier versions for Windows and Macintosh, there is no immediate risk to users of Adobe Reader and Acrobat X for Windows (with Protected Mode/Protected View enabled), Adobe Reader and Acrobat X or earlier versions for Macintosh, and Adobe Reader 9.x for UNIX based on the current exploits and historical attack patterns.

Adobe recommends users of Adobe Acrobat 9.4.6 and earlier 9.x versions for Windows update to Adobe Acrobat 9.4.7. Because Adobe Reader X Protected Mode and Adobe Acrobat X Protected View would prevent an exploit of the type currently targeting these vulnerabilities (CVE-2011-2462 and CVE-2011-4369) from executing, we are planning to address these issues in Adobe Reader and Acrobat X for Windows with the next quarterly security update for Adobe Reader and Acrobat, scheduled for January 10, 2012. We are planning to address these issues in Adobe Reader and Acrobat X and earlier versions for Macintosh as part of the next quarterly update scheduled for January 10, 2012. An update to address these issues in Adobe Reader 9.x for UNIX is planned for January 10, 2012.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Adobe Closes Security Holes In Adobe Reader & Acrobat 9.x"https://www.voiceofgreyhat.com/2011/12/adobe-closes-security-holes-in-adobe.html</a>

Kaspersky Vulnerability Underscores Users' Poor Updating Habits

Over the past year, Adobe has taken a lot of heat for vulnerabilities in its products -- specifically the Flash plug-in and Adobe Reader. Now, however, there's a fresh new round of finger-pointing in the wake of Kaspersky's first quarter 2011 threat analysis, in which Adobe apps accounted for the top three of the ten most prevalent vulnerabilities on consumer computers.

As is the case with so many reports like this, however, the numbers don't tell the whole story. The top vulnerability, which was in Adobe Reader, wasoriginally posted by Adobe on September 8, 2010 -- and a patch has been available since October 5, 2010. While I'm not impressed that it took a full month for Adobe to issue a critical patch, I'm less impressed that millions of users still hadn't bothered to update by the end of this quarter -- especially when the vastly superior Adode Reader X is available to replace infinitely less-secure 9.X versions.

In fact, only two of the vulnerabilities Kaspersky lists actually surfaced in Q1 2011 -- one in Java and one in Flash. As for the other two Adobe listings, are we to blame the company when end users opt out of an update? In my years as a technician, I've seen countless systems with Adobe Reader, Flash, and Java update icons resting in the tray and periodically tossing out system notifications that an update is available. Much as I would like it to be the case, Adobe and Sun can't make a user follow good security practices.

Should Microsoft take the blame for a flaw in OneNote which was revealed in2007 and has long since been patched? Certainly not. Yes, vendors implementing a transparent, auto-update system like the one in Google Chrome would help, but end users also need to take responsibility for their own security.

Since Kaspersky's list doesn't specify the actual Adobe IDs connected with the flaws, I decided to dig a bit deeper into the report. That process was complicated by the fact that Kaspersky's links point to the wrong vulnerabilities -- and the Secunia IDs provided don't match up either. The top vulnerability, for example, is listed as an Adobe Reader flaw. Clicking through on the link took me to a report about Axigen Mail Server and the Secunia ID (38805) points to one for Microsoft Office. Number three, a Flash vulnerability, links to Fedora update for TexMacs.

For a security vendor to call out another company's products for security shortcomings and not bother to error-check prior to publishing is unacceptable. Such missteps show a disdainful lack of care and cast doubts upon the report's veracity and value.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Kaspersky Vulnerability Underscores Users' Poor Updating Habits"https://www.voiceofgreyhat.com/2011/05/kaspersky-vulnerability-underscores.html</a>

Adobe fixes serious security flaws in Acrobat, Reader

You might not be aware of it, but online criminals frequently exploit bugs in Adobe's PDF-viewing programs on your computer to launch crafty cyberattacks that give them access to your sensitive information.

Case in point: hackers have recently been embedding rigged Adobe Flash files inside legitimate Microsoft Word and Excel documents. When you open what you think is an ordinary Microsoft document, you also let in the corrupt — and hidden — Flash file that grants the criminals entry into your computer.

The Adobe Flash flaw first came to light last month, and was patched April 15.

But the same serious security bug was also found to exist in Adobe Reader and Acrobat. Adobe said it would address these problems during the week of April 25, but thankfully, they've sprung into action early.

Adobe Thursday issued security updates for Reader and Acrobat. Adobe Reader X 10.0.3 is the newest version; Acrobat has been updated to 10.0.3 as well.

Adobe programs are set up on most computers to update automatically, but to update to the newest Adobe versions yourself, Adobe recommends selecting "Software Updates" and then "Check for Updates" under your computer's "System Preferences" or "Help" tab.

Users can also visit Adobe.com for instructions on how to manually update the programs.

Adobe Flash, Reader and Acrobat are such highly prized targets because they are so widely used, and often come preinstalled on computers. Security experts advise users to frequently check for updates to all programs, and to never open unsolicited attachments or ones that seem suspicious.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Adobe fixes serious security flaws in Acrobat, Reader"https://www.voiceofgreyhat.com/2011/04/adobe-fixes-serious-security-flaws-in.html</a>

Pwn2Own 2013 Result: Chrome, Firefox, IE, Adobe Reader, Flash & Java Owned

Pwn2Own 2013 Result: Chrome, Firefox, IE, Adobe Reader, Flash & Java Owned Only Safari Survived 

Couple of months ago we have talked about 'Pwn2Own 2013' hacking contest sponsored by HP TippingPoint, ZDI and Google where the most famous and widely used browsers have to face challenges. Now the result of this long awaited security competition has came which is showing that the entire browser security landscape can change in a single day, as browsers thought to be secure are proven to be otherwise. Of the Big Four browsers, only Apple's Safari has so far survived the onslaught of the browser-breakers where Chrome, Internet Explorer 10 and Firefox all fell to the mercy of the hackers. Not only browsers but also three other popular applications that is Adobe Reader, Flash Player and yet again Java fallen victim to hackers at 'Pwn2Own'. And for Java it was a true disaster as Java fell three times, though under the contest rules, only the first attacker was due to win the $20,000 prize. Vupen, a renowned security research firm based in France, cracked both Firefox and Internet Explorer. It roughly explained the attack in a tweet, “We’ve pwned Firefox using a use-after-free and a brand new technique to bypass ASLR/DEP on Win7 without the need of any ROP.” This bug hint leads them winning $100,000 for finding a huge hole. Again in a tweet, Security firm Vupen explained “We’ve pwned MS Surface Pro with two IE10 zero-days to achieve a full Windows 8 compromise with sandbox bypass.” Lastly, U.K.-based security firm MWR Labs cracked Chrome and also gained full control of the operating system, this time Windows 7. It also “demonstrated a full sandbox bypass exploit.” The company explained in a blog post that it found a zero-day in Chrome “running on a modern Windows-based laptop.” It was able to exploit the vulnerability by performing a very similar attack to what took down Facebook, Microsoft, and a number of other well-known companies: It had the laptop visit a malicious website. 

Now lets take look at the final score board of Pwn2Own 2013:

Wednesday:
1:30 - Java (James Forshaw) PWNED
2:30 - Java (Joshua Drake) PWNED
3:30 - IE 10 (VUPEN Security) PWNED
4:30 - Chrome (Nils & Jon) PWNED
5:30 - Firefox (VUPEN Security) PWNED
5:31 - Java (VUPEN Security) PWNED

Thursday:
12pm - Flash (VUPEN Security) PWNED
1pm - Adobe Reader (George Hotz) PWNED
2pm - Java (Ben Murphy via proxy) PWNED

The total damage to the prize fund comes out at a whopping $480k. With HP's announcement that everyone will get paid for each attack, the prize monies will be divvied up as follows:-

1. James Forshaw: Java = $20K
2. Joshua Drake: Java = $20k
3. VUPEN Security: IE10 + Firefox + Java + Flash = $250k
4. Nils & Jon: Chrome = $100k
5. George Hotz: Adobe Reader = $70k
6. Ben Murphy: Java = $20k

As you all know that the main motive of these contest is to make applications, software more safe and secure while figuring out hidden vulnerabilities  Here also for Pwn2Own the security holes figured out by the above experts have already been submitted and taken carefully by those organization  along with that, the expected patch for the browsers have already been released. Those who are still using the older version of those above applications are requested to update their system. So, stay tuned with VOGH and be safe on the Internet. 

-Source (HP, Naked Security) 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Pwn2Own 2013 Result: Chrome, Firefox, IE, Adobe Reader, Flash & Java Owned"https://www.voiceofgreyhat.com/2013/03/Pwn2Own-2013-Result.html</a>

Pwn2Own 2013 -Hack Major Browser, Adobe Reader, Flash or Java & Earn in Million Dollars

Pwn2Own 2013 -Hack Major Web-browser, Adobe Reader, Flash or Java & Earn in Million Dollars 

Since the last two years the Pwn2Own hacker contest has become an important fixture in the world of testing the security of software applications, operating systems and hardware devices. In last two years we have seen several hackers, security professionals have expressed their enthusiasm and joined Pwn2Own where four major and widely browser's security get compromised, in order to make applications, software more safe and secure. Last year we have reported how different hackers across the globe taken part in Pwn2Own and successfully hacked Google Chrome, IE & Firefox, and earned millions of dollars. But the contest of this year has some more twist than before as, HP TippingPoint and Google, sponsor of Pwn2Own, has made clear that it is expanding the focus of the competition beyond browsers. Also, Pwn2own 2013 will include $560,000 in prize money for demonstrations of exploits in the major web browsers, Adobe Reader, Adobe Flash or Oracle Java. 

Contest Dates:-

The contest will take place the 6th, 7th, and 8th of March in Vancouver, British Columbia during the CanSecWest 2013 conference. DVLabs blog post will be updated as the contest plays out and get real-time updates by following either @thezdi or @Pwn2Own_Contest on Twitter or search for the hash tag #pwn2own.

Rules & Prizes:-

HP ZDI is offering more than half a million dollars (USD) in cash and prizes during the competition for vulnerabilities and exploitation techniques in the below categories. The first contestant to successfully compromise a selected target will win the prizes for the category.

• Web Browser
• Google Chrome on Windows 7 ($100,000)
• Microsoft Internet Explorer, either
• IE 10 on Windows 8 ($100,000), or
• IE 9 on Windows 7 ($75,000)
• Mozilla Firefox on Windows 7 ($60,000)
• Apple Safari on OS X Mountain Lion ($65,000)
• Web Browser Plug-ins using Internet Explorer 9 on Windows 7
• Adobe Reader XI ($70,000)
• Adobe Flash ($70,000)
• Oracle Java ($20,000)

The targets will be running on the latest, fully patched version of the Windows 7, 8, and OS X Mountain Lion. All targets will be installed in their default configurations, as this is how a majority of users will have them configured. As always, the vulnerabilities utilized in the attack must be unknown and not previously reported to the vendor. If a sandbox is present, a full sandbox escape is required to win. A given vulnerability may only be used once across all categories.

Upon successful demonstration of the exploit, the contestant will provide HP ZDI a fully functioning exploit and all the details of the vulnerability used in the attack. In the case that multiple vulnerabilities were exploited to gain code execution, details about all the vulnerabilities (memory corruption, infoleaks, escalations, etc.) leveraged and the sequence in which they are used must be provided to receive the prize money. The initial vulnerability utilized in the attack must be in the registered category.

Along with prize money, the contestant will receive the compromised laptop and 20,000 ZDI reward points* which immediately qualifies them for Silver standing. 

Full contest rules can be found at http://dvlabs.tippingpoint.com/Pwn2OwnContestRules.html, and may be changed at any time without notice.

Registration:-

Contestants are asked to pre-register by contacting ZDI via e-mail at zdi@hp.com. This will allow the organizer to ensure that they have the necessary resources in place to facilitate the attack. If more than one contestant registers for a given category, the order of the contestants will be drawn at random.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Pwn2Own 2013 -Hack Major Browser, Adobe Reader, Flash or Java & Earn in Million Dollars"https://www.voiceofgreyhat.com/2013/01/Pwn2Own-2013-Hack-and-Earn-in-Million.html</a>

Hackers Breached Adobe Server in Order to Compromise Certificate to Sign malware

Hackers Breached Adobe Server in Order to Compromise Certificate to Sign malware

Few advanced hackers have managed to break into an internal server at Adobe to compromise a digital certificate that allowed them to create at least two files that appear to be legitimately signed by the software maker, but actually contain malware. This security breach took place on Thursday and the software giant Adobe confirmed that the attackers signed at least two malicious utility programs with the valid Adobe certificate. The company traced the problem to a compromised build server that had the ability to get code approved from the company’s code-signing system. As a result of the breach, which appears to date back to early July, Adobe on Oct. 4 expects to revoke the compromised certificate that was used to sign the malicious files. According to Brad Arkin, senior director of product security and privacy for Adobe “This only affects the Adobe software signed with the impacted certificate that runs on the Windows platform and three Adobe AIR applications that run on both Windows and Macintosh,” 

Arkin wrote. “The revocation does not impact any other Adobe software for Macintosh or other platforms.” The company uncovered the breach after coming across two malicious "utilities" that appeared to be digitally signed with a valid Adobe cert. It is unclear how or whether those files were used in the wild to target anyone. "Sophisticated threat actors use malicious utilities like the signed samples during highly targeted attacks for privilege escalation and lateral movement within an environment following an initial machine compromise," Arkin wrote

In another blog posted by Arkin, he said that, generally speaking, most Adobe users won't be affected. "Is your Adobe software vulnerable because of this issue?" he wrote. "No". This issue has no impact on the security of your genuine Adobe software. Are there other security risks to you? We have strong reason to believe that this issue does not present a general security risk. The evidence we have seen has been limited to a single isolated discovery of two malicious utilities signed using the certificate and indicates that the certificate was not used to sign widespread malware."

The "build" server that was compromised was not configured according to Adobe's corporate standards, but that shortfall wasn't caught during the provisioning process, Arkin said. He added that the affected server did not provide the adversaries with access to any source code for other products, such as the popular Flash Player and Adobe Reader and Acrobat software. 

Here we would like to give you reminder that in the last few months we have been a slew of attacks against the following sites: Guild Wars 2, Gamigo, Blizzard, Yahoo, LinkedIn, eHarmony, Formspring, Android Forums, Gamigo,  Nvidia,Blizzard and  Philips. And after this breach Adobe also enlisted its name among those who was fallen victim to cyber criminals in this year. For all the latest on cyber security and hacking related stories; stay tuned with VOGH. 

UPDATE: Recently we got an update, where Adobe denies the breach. In their later press release an Adobe spokeswoman said the certificate was not actually stolen: "Adobe has stringent security measures in place to protect its code signing infrastructure. The private keys associated with the Adobe code signing certificates were stored in Hardware Security Modules (HSMs) kept in physically secure facilities. We confirmed that the private key associated with the Adobe code signing certificate was not extracted from the HSM."

-Source (Adobe, SC Magazine, WIRED)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Hackers Breached Adobe Server in Order to Compromise Certificate to Sign malware"https://www.voiceofgreyhat.com/2012/09/Adobe-Server-Breached-Certificate-Stolen.html</a>

Zero-Day Vulnerability In Flash Patched By Adobe

Zero-Day Vulnerability In Flash Patched By Adobe 

Yet another Zero day vulnerability found in Adobe Flash Player. Earlier hackers found zero-day exploit in flash player which can allow an attacker to hack you web-cam remotely later Adobe patched that. Before releasing Flash Player 11 Adobe issued new privacy policy and security update but now it seems that those are of zero use. 11.1.102.55 and earlier versions for Windows, Macintosh, Linux and Solaris, Adobe Flash Player 11.1.112.61 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.5 and earlier versions for Android 3.x and 2.x. These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system.

Affected Version:- 

• Adobe Flash Player 11.1.102.55 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems

• Adobe Flash Player 11.1.112.61 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.5 and earlier versions for Android 3.x and 2.x

Later Adobe confirmed that and immediately released a patch to close the security hole. Through this security release Adobe also resolves a universal cross-site scripting vulnerability that could be used to take actions on a user's behalf on any website or webmail provider, if the user visits a malicious website. There are reports that this vulnerability (CVE-2012-0767) is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message (Internet Explorer on Windows only). Google's Chrome Web browser, which directly integrates Flash into its software (unlike competing browsers) also received an update to reflect Adobe's patch update. 

Recommendation From Adobe:-

Adobe recommends users of Adobe Flash Player 11.1.102.55 and earlier versions for Windows, Macintosh, Linux and Solaris update to Adobe Flash Player 11.1.102.62. Users of Adobe Flash Player 11.1.112.61 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.6. Users of Adobe Flash Player 11.1.111.5 and earlier versions for Android 3.x and earlier versions should update to Flash Player 11.1.111.6. For further details click here.

Earlier in 2011 another Flash Player bug found in Blackberry OS & later fixed by the developer and also last year adobe closes serious security hole in Acrobat 9X & Adobe Reader.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Zero-Day Vulnerability In Flash Patched By Adobe"https://www.voiceofgreyhat.com/2012/02/zero-day-vulnerability-in-flash-patched.html</a>

Adobe Closes Several Critical Security Hole in Shockwave Player

Adobe Closes Several Critical Security Hole in Shockwave Player

If you are a fan or regular user of  Adobe Shockwave Player on your Windows or Mac computer then it's time for you to update your systems. Adobe has released a security update for Adobe Shockwave Player 11.6.7.637 and earlier versions on the Windows and Macintosh operating systems. This update addresses vulnerabilities that could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system. Adobe recommends users of Adobe Shockwave Player 11.6.7.637 and earlier versions update to Adobe Shockwave Player 11.6.8.638 using the instructions provided below.

This update resolves buffer overflow vulnerabilities that could lead to code execution (CVE-2012-4172, CVE-2012-4173, CVE-2012-4174, CVE-2012-4175, CVE-2012-5273). 

• AFFECTED SOFTWARE VERSIONS:-

Adobe Shockwave Player 11.6.7.637 and earlier versions for Windows and Macintosh

• SOLUTION:-

Adobe recommends users of Adobe Shockwave Player 11.6.7.637 and earlier versions update to the newest version 11.6.8.638, available here: http://get.adobe.com/shockwave/.

This update resolves an array out of bounds vulnerability that could lead to code execution (CVE-2012-4176). Adobe has said that the update is a priority 2 issue. The company recommends users update their installations as soon as is possible, but notes there are no known Shockware exploits in the wild for these flaws.

If you dig the recent past, then you will found the security of Adobe products has been under the microscope the last four weeks. Most recently, Adobe upgraded its Reader and Acrobat products with enhancements to its sandbox functionality and a new feature that forces any DLL loaded by either application to use Address Space Layout Randomization (ASLR). Also we want to remind you that in late September, Adobe disclosed that it had been attacked and hackers were using a valid Adobe certificate to sign two malicious utilities used most often in targeted attacks. Adobe revoked the certificate Oct. 4.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Adobe Closes Several Critical Security Hole in Shockwave Player"https://www.voiceofgreyhat.com/2012/10/Adobe-Closes-Critical-SecurityHole-in-Shockwave-Player.html</a>

"April Patch" By Microsoft & Adobe Closed Critical Security Holes

"April Patch" By Microsoft & Adobe Closed Critical Security Holes

As per schedule two software giants Microsoft and Adobe today each issued security bulletin to plug security holes in their vulnerable products. The patch batch from Microsoft fixes at least 11 flaws in Windows, Internet Explorer (IE), Office and several other products, including one bug that attackers are already exploiting. The company also issued the first patch for Windows 8 Consumer Preview, the beta-like build Microsoft released at the end of February. Adobe’s update tackles four vulnerabilities that are present in current versions of Adobe Acrobat and Reader. 

Seven of the 11 bugs Microsoft fixed with today’s release earned its most serious “critical” rating, which Microsoft assigns to flaws that it believes attackers or malware could leverage to break into systems without any help from users. In its security bulletin summary for April 2012. Among those is an interesting weakness (MS12-024) in the way that Windows handles signed portable executable (PE) files. According to Symantec, this flaw is interesting because it lets attackers modify signed PE files undetected. Microsoft said that this patch the highest priority security update this month. “What makes this bulletin stand out is that Microsoft is aware of attacks in the wild against it and it affects an unsually wide-range of Microsoft products, including Office 2003 through 2010 on Windows, SQL Server 2000 through 2008 R2, BizTalk Server 2002, Commerce Server 2002 through 2009 R2, Visual FoxPro 8 and Visual Basic 6 Runtime,” Kandek said. “Attackers have been embedding the exploit for the underlying vulnerability (CVE-2012-0158) into an RTF document and enticing the target into opening the file, most commonly by attaching it to an e-mail. Another possible vector is through web browsing, but the component can potentially be attacked through any of the mentioned applications.” Other notable fixes from Microsoft this month include a .NETupdate, and a patch for at least five Internet Explorer flaws. Patches are available for all supported versions of Windows, and available through Windows Update. In March 2012 Security bulletins Microsoft closed a total of seven security holes in its products. Among them one Critical-class, four Important and one Moderate – addressing seven issues in Microsoft Windows, Visual Studio, and Expression Design. According to Microsoft (MS12-020) remote code execution vulnerability has been found in RDP (Remote Desktop Protocol).

After Microsoft here comes the turn for Adobe &  they updates fix critical problems in Acrobat and Reader on all supported platforms, including Windows, Mac OS X, and Linux. Users on Windows and Mac can use each products’ built-in update mechanism. The newest, patched version of both Acrobat and Reader is v. 10.1.3 for Windows and Mac systems. The default configuration is set to run automatic update checks on a regular schedule, but update checks can be manually activated by choosing Help > Check for Updates. Reader users who prefer direct links to the latest version can find them by clicking the appropriate OS, Windows, Mac or Linux (v. 9.5.1).

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">"April Patch" By Microsoft & Adobe Closed Critical Security Holes"https://www.voiceofgreyhat.com/2012/04/april-patch-by-microsoft-adobe-closed.html</a>

PDF Malware Using New Tricks to Exploit Vulnerability

Security researchers have identified a new trick in PDF files being sent as email attachments that obfuscate attack code by encoding it inside an image file.

Malicious PDF files are using a new trick to avoid detection by almost all major antivirus scanners on the market, according to security researchers. Researchers from Avast and Sophos independently noticed PDF files making the rounds in March that weren’t being flagged as malicious but had the ability to compromise a machine just by being opened. The originating address was often suspicious, and the attachments accompanied emails purporting to be an order receipt. The attachments themselves often had names containing the supposed order number.
When the attachments were opened under Adobe 8.1.1 or Adobe 9.3, the compromised computer would connect to a remote site and download malware, usually SpyEye, ZBot  or FakeAV, Paul Baccas, a senior threat researcher at Sophos Labs, wrote on the company’s Naked Security blog on April 15.
“The PDFs did not seem to be using any exploit that I could see and yet they were downloading malware,” wrote Baccas.
It turned out these files were using a new trick to re-exploit the CVE-2010-0188 vulnerability Adobe had patched over a year ago on Feb. 16, 2010, according to Baccas.
The exploit is specific to Reader and would not execute in Google Chrome’s PDF Plugin, Jiri Sejtko, a senior virus analyst and researcher at Avast Software, wrote on the company blog April 22. While that’s a good sign, Chrome generally asks users if it should open the file in Reader if it can’t display the file correctly. In this day and age, many users would likely say yes, making them vulnerable, according to Sejtko.
The PDF specifications allow several filters to be used on raw data, either singly or in conjunction with each other, Sejtko said. Anyone can create valid PDF files where the data uses five different filters, or even multiple layers of the same filter. This allows malware authors to embed malicious code deep inside the filters, out of reach of even the most aggressive scanner.
“Our parser was unable to get any suitable content that we could define as malicious,” Sejtko said.
Files exploiting this vulnerability normally use an XML file that contains the raw data for a TIFF image file containing highly obfuscated code, Baccas said. In this case, the attackers were using parameters to control how the filters operate and crafting the attack code embedded in the raw data to conform to these parameters.
The filter being used to encrypt the malicious code was also meant to be used only for black and white images. The exploit detected by Avast researchers combined two filters, one for text and one for images, to hide the payload.
“Who would have thought that a pure image algorithm might be used as a standard filter on any object stream?” Sejtko said. While the “bad guys” are building a specially crafted TIFF image file in the PDF files, the trick can be used to hide special JavaScript and font files, as well.
Compared to other attacks, this attack is seen in “only a very small number” of attacks, Sejtko said, but has also been used in targeted attacks. While the CVE-2010-0188 flaw has been closed in current versions of Adobe Reader, users on older and unpatched versions of the software remain vulnerable to these malicious PDF files.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">PDF Malware Using New Tricks to Exploit Vulnerability"https://www.voiceofgreyhat.com/2011/04/pdf-malware-using-new-tricks-to-exploit.html</a>

Adobe release patch for Flash Player to prevent XSS

Adobe has released an out-of-cycle security update for Flash Player just days after learning of a new zero-day vulnerability. The vulnerability affected Flash Player 10.3.181.16 and earlier versions on Windows, Macintosh, Linux and Solaris, and Android version 10.3.185.22 and earlier. Despite the speed of the patch release, the vulnerability did not get the top "critical" rating, but is still rated "important". The "important" status denotes a vulnerability which could compromise data security, allowing hackers access to confidential data, or could compromise processing resources in a user's computer. "This universal cross-site scripting vulnerability (CVE-2011-2107) could be used to take actions on a user's behalf on any website or webmail provider, if the user visits a malicious website," Adobe said in a security bulletin. According to Adobe, the vulnerability is being exploited in the wild, in active, targeted attacks tricking the user into clicking on a malicious link delivered in an e-mail message. Adobe recommends users of the affected versions for Windows, Macintosh, Linux and Solaris update to Adobe Flash Player 10.3.181.22 or 10.3.181.23 for ActiveX. The firm expects to release an update for Flash Player 10.3.185.22 for Android later this week.
Adobe investigated the flaw in Adobe Reader and Acrobat versions 10.x and 9.x for Windows and Macintosh, but said it was unaware of zero-day attacks against those platforms.
Google has updated its Chrome web browser, also affected by the vulnerability.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Adobe release patch for Flash Player to prevent XSS"https://www.voiceofgreyhat.com/2011/06/adobe-release-path-for-flash-player-to.html</a>

Full Disclosure Of Pentagon Data-breach

We're all human, you know? That's roughly the trick that the hackers most likely relied on when, earlier this year, they managed to steal over 24,000 files from a defense contractor.

The Pentagon won't say what files went astray, or the level of secrecy associated with the contents of the stolen data. But we can assume that at least some of it was highly secret—secret enough that Deputy Defense Secretary William J. Lynn III felt compelled to admit to the attack during a speech about the future of cyber policy yesterday. Lynn said it concerned some of the U.S.'s "most sensitive systems, including aircraft avionics, surveillance technologies" and more, before hinting that foreign powers were behind the attack and using it to declare cyberspace the next battleground.

What went down? Fast Company spoke to Nick Percoco, digital security expert and SVP at Trustwave's SpiderLabs, and familiar with exactly this sort of cyberattack, to get some insight.

How The Hack May Have Begun: Email Scams

The fact that the 24,000 stolen files came from a defense contractor is significant, Percoco notes. It's likely easier to get this sort of data from a contractor than launching an all-out attack on Pentagon servers themselves, because companies are full of people—people who are used to doing business in our digitally connected world. And even though an employee of a defense contractor is probably way more switched on to digital security than you or I, it's still not impossible to cheat someone with access to secret files into placing malware on their work laptop.

All it would take for a dedicated hacker is some basic research. If you wanted to steal data like this, you could start by targeting a particular employee via email—"We've seen this happen to defense contractors," Percoco notes. "Using technology like Google, and LinkedIn and other social networks" hackers could find out who best to target. Say they pick a particular EVP, and work out their email address is "JohnSmith@defencecontractorX.com." Then they work out who their colleagues or bosses may be all the way up to CEO level.

Then it's as simple as going to a source of hacking code using your underworld contacts (or using some of your own) and getting access to a "zero day exploit"—a new loophole in a computer or software system's security that hasn't been publicly discovered yet, and hence is still open for hacking use.

This is where the hack escalates. "In this case, they'd been looking for a zero-day exploit in, say, the Adobe PDF reader. And then they'd take a nice creative pen out and draft up a document that looks like it should be something important," Percoco said. After this, the hacker would set up something like a disposable Gmail account and make the screen name the same as one of the target's peers or the CEO of the company. Then they'd "craft up an email that says 'Here's an important document, some new announcement we're working on. Please review it and be ready for a call at 10 a.m. today.'" The trick is to send this to the target at around 7:30 a.m. local time, because the "best time to send those types of things is right before someone's had their coffee."

Typically the sleep-addled victim would trust the email as it's supposedly from a colleague, then launch the embedded PDF (or other faked document). Usually it causes the newly launched program—Adobe Reader in this example—to crash. But as it crashed, it would actually be installing malicious code on the machine. The virus is injected.

How The Attack Began: Website Sting

A similar attack is possible using a faked-up website that looks like it's actually related to the target company—one of those odd-looking, badly maintained websites that kinda looks official that we've all surfed to at some point and been confused by.

Some of these are actually storage pens for targeted malicious code, carefully honed to appear high on Google searches with SEO tricks. And when, say, a marketing official from the target company Googles to find out how their brand is being referenced around the web, they may stumble across one of these fake sites and trigger the release of malware onto their machine.

What Happened Next: Access Is King

Once the malicious code has been installed on the machine, the "sky's the limit," particularly via the email exploit. A well-coded virus code can evade detection and hide on the computer, doing various wicked things.

Often the "sole purpose of the executable is to go and find files on the person's computer and archive those in a zip file or RAR file, and then attempt to extract them from the system," Percoco said, based on his experience. The code could try lots of different routes, using FTP or HTTP or other protocols to get those files off the system. It's something he's seen in "many environments" and, worryingly, they're often "highly successful in getting those files." The code is typically designed to work on Windows machines, with almost no such exploits targeted at Macs—but Percoco agrees that this is at least partly due to the assumption by a hacker that a business user will be using a PC, not a Mac.

The success would be based on the fact no one's seen this particular kind of attack before (a zero-day exploit payoff) and it would easily circumvent any protective anti-virus software installed on the machine—because the protection doesn't know to look out for this type of virus. The only real way to avoid this sort of attack for the target to "avoid clicking on documents," which is clearly unlikely in the case of a business computer user. 

A smarter hacker would select a network administrator at the target company, because they're human, too. Their machine likely has even more interesting files that have data on network security, what kind of code is let in and let out of company firewalls, and so on.

Getting access to this sort of data (via the same email hack as described above) could let a persistent hacker penetrate a company's network and install a backdoor onto it—totally circumventing security because then "the attacker doesn't have to come in from the outside, they have code running on that system that will basically open up a connection back to the attacker"—not something network security is expecting. Then you can gain access to passwords and credentials to worm your way in further, eventually finding whatever sensitive data you're looking for.

The result could be a grim violation of company security. "We've seen those for a number of years, in all sorts of companies including government-type companies as well," Percoco says. 

Who Did This?

It's easy to see how a hacker could gain access to a machine and even a company network, and how easy it can be to transfer stolen files from infected computers to the hacker. But whois the hacker? The Deputy Secretary of Defense was careful to link it to "foreign" attackers—and considering this year's hacking news, we're instantly imagining China is to blame.

Percoco says his company does hundreds of investigations every year on attacks like these, and it's "very, very difficult to trace an attack to a specific person and specific political motivation." That's unless it's a hacktivist attack, when a group like Anonymous posts the data online and admits it was to blame—and even then "you don't know where these people are actually located."

A hacker could take his laptop down to a coffee shop, buy a cup of joe and "get on their free Wi-Fi system. And now they go and start looking around the world to find a computer that has a security weakness." Once they find it, they can use the hacked computer for a targeting scenario like the one described above, where they send a tainted email. Anyone tracing the code back after the attack was detected may find it sourced on a corporate computer in, say, China. And then they're stuck—because no one's "going to let the U.S. government come in and do a forensic investigation on some business located in China." 

Furthermore, it's rare that even this first Net address is where the attack is coming from—"they're always jumping through one or many systems" Percoco says, which could be in numerous nations and thus completely confound any attempts to track them. Which means the attacker actually could be located anywhere.

The Cold Cyberwar?

Suddenly, there's a much more sinister angle to the Pentagon hack. Forget "The Chinese Way of Hacking." More like "Even More Malicious Hackers Looking Like They're Using The Chinese Way Of Hacking."

-News Source (Gizmodo)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Full Disclosure Of Pentagon Data-breach"https://www.voiceofgreyhat.com/2011/07/full-disclosure-of-pentagon-data-breach.html</a>

(LPS) Lightweight Portable Security

Lightweight Portable Security (LPS) creates a secure end node from trusted media on almost any Intel-based computer (PC or Mac). It is a LiveCD distro designed by the US Department of Defense to function as a secure end node, in other words, a safe environment from which to access the web or a remote desktop host. Since the focus is on security, LPS boots a thin Linux operating system from a CD or USB flash stick without mounting a local hard drive, while providing tools such as a web browser, a file manager in addition to few other small tools. Administrator privileges are not required; nothing is installed! LPS-Public is a safer, general-purpose solution for using web-based applications. The accredited LPS-Remote Access is only for accessing your organization’s private network and is available only on request. We requested for one and are yet to hear back from “them”.

This livecd is very useful for not for whole organisation but some departments whose employees are on the move or carry critical data in and out of the organisation. In fact there are two version of the lightweight portable securityFREE download. Their brief use is as follows: linux distro available for a

1. LPS-Public: It includes features designed to allow productive use of the Internet and CAC- or PIV-restricted Government websites from home or while traveling. LPS-Public comes preconfigured with a smart card-enabled Firefox web browser with Java and Flash support, Encryption Wizard-Public, a PDF viewer, a file browser, remote desktop software (Citrix, Microsoft or VMware View), SSH client, and the ability to use USB flash drives. This build does not contain any For Official Use Only (FOUO) material or any customized software. It is a very light distro and needs lesser RAM.
2. LPS-Public Deluxe: It adds OpenOffice software, which is a Microsoft Office-compatible suite of office applications, and Adobe Reader, which allows PDF files to be digitally signed. A bit heavier distribution, requiring about a Gigahertz of RAM.

LPS-Public allows general web browsing and connecting to remote networks. It includes a smart card-enabled Firefox browser supporting CAC and PIV cards, a PDF and text viewer, Java, and Encryption Wizard – Public. LPS-Public turns an untrusted system (such as a home computer) into a trusted network client. No trace of work activity (or malware) can be written to the local computer. Our initial working with the linux distro leads us to believe that after logon, you are taken to a desktop that is rendered via IceWM – the window manager for the X Window Systems. You can use a WiFi connection too, but understandably, there is no support for printers and sound. Surprisingly, given the notoriety the Adobe Flash plugins, the distro includes a fairly recent Firefox with the Flash plugin pre-loaded. It also includes a few more Firefox add-ons. You also get a Remote Desktop client to initiate RDP requests. Another interesting thing we observed is that if you plan on using smart cards and you think that it might not be compatible with LPS, worry not as it has the OEM’s firmware updater built in!

Features of LPS

1. LPS differs from traditional operating systems in that it isn’t continually patched.
2. LPS is designed to run from read-only media and without any persistent storage.
3. Any malware that might infect a computer can only run within that session.
4. A user can improve security by rebooting between sessions, or when about to undertake a sensitive transaction.

Download LPS from the following links:-

LPS-Public:

1. LPS-Public ISO version 1.2.2 (LPS-1.2.2_public.iso) here.
2. LPS-Public ZIP version 1.2.2 (LPS-1.2.2_public_iso.zip) here.

LPS-Public Delux:

1. LPS-Public Delux ISO version 1.2.2 (LPS-1.2.2_public_deluxe.iso) here
2. LPS-Public Delux ZIP version 1.2.2 (LPS-1.2.2_public_deluxe_iso.zip) here

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">(LPS) Lightweight Portable Security"https://www.voiceofgreyhat.com/2011/07/lps-lightweight-portable-security.html</a>

Metasploit 4.2.0 Released With IPv6 Support & Virtualization Target Coverage

Metasploit 4.2.0 Released With IPv6 Support & Virtualization Target Coverage

Earlier we haev discussed many times about one of the most famous and widely used exploitation framework named Metasploit. Yet again the Rapid 7 released another updated version of Metasploit. This update brings Metasploit to version 4.2.0, adding IPv6 support and virtualization target coverage. You'll also notice a new Product News section and update notification for our weekly updates. Since the last major release (4.1.0), added 54 new exploits, 66 new auxiliary modules, 43 new post-exploitation modules, and 18 new payloads. 

Brief About Metasploit:- 

The Metasploit Framework is a penetration testing toolkit, exploit development platform, and research tool. The framework includes hundreds of working remote exploits for a variety of platforms. Payloads, encoders, and nop slide generators can be mixed and matched with exploit modules to solve almost any exploit-related task.

Module Changes:-

•     Novell eDirectory eMBox Unauthenticated File Access

•     JBoss Seam 2 Remote Command Execution

•     NAT-PMP Port Mapper

•     TFTP File Transfer Utility

•     VMWare Power Off Virtual Machine

•     VMWare Power On Virtual Machine

•     VMWare Tag Virtual Machine

•     VMWare Terminate ESX Login Sessions

•     John the Ripper AIX Password Cracker

•     7-Technologies IGSS 9 IGSSdataServer.exe DoS

•     Microsoft IIS FTP Server <= 7.0 LIST Stack Exhaustion

•     DNS and DNSSEC fuzzer

•     CheckPoint Firewall-1 SecuRemote Topology Service Hostname Disclosure

•     CorpWatch Company ID Information Search

•     CorpWatch Company Name Information Search

•     General Electric D20 Password Recovery

•     NAT-PMP External Address Scanner

•     Shodan Search

•     H.323 Version Scanner

•     Drupal Views Module Users Enumeration

•     Ektron CMS400.NET Default Password Scanner

•     Generic HTTP Directory Traversal Utility

•     Microsoft IIS HTTP Internal IP Disclosure

•     Outlook Web App (OWA) Brute Force Utility

•     Squiz Matrix User Enumeration Scanner

•     Sybase Easerver 6.3 Directory Traversal

•     Yaws Web Server Directory Traversal

•     OKI Printer Default Login Credential Scanner

•     MSSQL Schema Dump

•     MYSQL Schema Dump

•     NAT-PMP External Port Scanner

•     pcAnywhere TCP Service Discovery

•     pcAnywhere UDP Service Discovery

•     Postgres Schema Dump

•     SSH Public Key Acceptance Scanner

•     Telnet Service Encyption Key ID Overflow Detection

•     IpSwitch WhatsUp Gold TFTP Directory Traversal

•     VMWare ESX/ESXi Fingerprint Scanner

•     VMWare Authentication Daemon Login Scanner

•     VMWare Authentication Daemon Version Scanner

•     VMWare Enumerate Permissions

•     VMWare Enumerate Active Sessions

•     VMWare Enumerate User Accounts

•     VMWare Enumerate Virtual Machines

•     VMWare Enumerate Host Details

•     VMWare Web Login Scanner

•     VMWare Screenshot Stealer

•     Capture: HTTP JavaScript Keylogger

•     Oracle DB SQL Injection via SYS.DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION

•     Asterisk Manager Login Utility

•     FreeBSD Telnet Service Encryption Key ID Buffer Overflow

•     Linux BSD-derived Telnet Service Encryption Key ID Buffer Overflow

•     Java Applet Rhino Script Engine Remote Code Execution

•     Family Connections less.php Remote Command Execution

•     Gitorious Arbitrary Command Execution

•     Horde 3.3.12 Backdoor Arbitrary PHP Code Execution

•     OP5 license.php Remote Command Execution

•     OP5 welcome Remote Command Execution

•     Plone and Zope XMLTools Remote Command Execution

•     PmWiki <= 2.2.34 pagelist.php Remote PHP Code Injection Exploit

•     Support Incident Tracker <= 3.65 Remote Command Execution

•     Splunk Search Remote Code Execution

•     Traq admincp/common.php Remote Code Execution

•     vBSEO <= 3.6.0 proc_deutf() Remote PHP Code Injection

•     Mozilla Firefox 3.6.16 mChannel Use-After-Free

•     CTEK SkyRouter 4200 and 4300 Command Execution

•     Adobe Flash Player MP4 SequenceParameterSetNALUnit Buffer Overflow

•     Icona SpA C6 Messenger DownloaderActiveX Control Arbitrary File Download and Execute

•     HP Easy Printer Care XMLCacheMgr Class ActiveX Control Remote Code Execution

•     Viscom Image Viewer CP Pro 8.0/Gold 6.0 ActiveX Control

•     Java MixerSequencer Object GM_Song Structure Handling Vulnerability

•     MS05-054 Microsoft Internet Explorer JavaScript OnLoad Handler Remote Code Execution

•     MS12-004 midiOutPlayNextPolyEvent Heap Overflow

•     Viscom Software Movie Player Pro SDK ActiveX 6.8

•     Adobe Reader U3D Memory Corruption Vulnerability

•     Aviosoft Digital TV Player Professional 1.0 Stack Buffer Overflow

•     BS.Player 2.57 Buffer Overflow

•     CCMPlayer 1.5 m3u Playlist Stack Based Buffer Overflow

•     Free MP3 CD Ripper 1.1 WAV File Stack Buffer Overflow

•     McAfee SaaS MyCioScan ShowReport Remote Command Execution

•     Mini-Stream RM-MP3 Converter v3.1.2.1 PLS File Stack Buffer Overflow

•     MS11-038 Microsoft Office Excel Malformed OBJ Record Handling Overflow

•     Ability Server 2.34 STOR Command Stack Buffer Overflow

•     AbsoluteFTP 1.9.6 - 2.2.10 LIST Command Remote Buffer Overflow

•     Serv-U FTP Server < 4.2 Buffer Overflow

•     HP OpenView Network Node Manager ov.dll _OVBuildPath Buffer Overflow

•     XAMPP WebDAV PHP Upload

•     Avid Media Composer 5.5 - Avid Phonetic Indexer Buffer Overflow

•     Citrix Provisioning Services 5.6 SP1 Streamprocess Opcode 0x40020000 Buffer Overflow

•     HP Diagnostics Server magentservice.exe Overflow

•     StreamDown 6.8.0 Buffer Overflow

•     Wireshark console.lua Pre-Loading Script Execution

•     Oracle Job Scheduler Named Pipe Command Execution

•     SCADA 3S CoDeSys CmpWebServer <= v3.4 SP4 Patch 2 Stack Buffer Overflow

•     Sunway Forcecontrol SNMP NetDBServer.exe Opcode 0x57

•     OpenTFTP SP 1.4 Error Packet Overflow

•     AIX Gather Dump Password Hashes

•     Linux Gather Saved mount.cifs/mount.smbfs Credentials

•     Multi Gather VirtualBox VM Enumeration

•     UNIX Gather .fetchmailrc Credentials

•     Multi Gather VMWare VM Identification

•     UNIX Gather .netrc Credentials

•     Multi Gather Mozilla Thunderbird Signon Credential Collection

•     Multiple Linux / Unix Post Sudo Upgrade Shell

•     Windows Escalate SMB Icon LNK dropper

•     Windows Escalate Get System via Administrator

•     Windows Gather RazorSQL Credentials

•     Windows Gather File and Registry Artifacts Enumeration

•     Windows Gather Enumerate Computers

•     Post Windows Gather Forensics Duqu Registry Check

•     Windows Gather Privileges Enumeration

•     Windows Manage Download and/or Execute

•     Windows Manage Create Shadow Copy

•     Windows Manage List Shadow Copies

•     Windows Manage Mount Shadow Copy

•     Windows Manage Set Shadow Copy Storage Space

•     Windows Manage Get Shadow Copy Storage Info

•     Windows Recon Computer Browser Discovery

•     Windows Recon Resolve Hostname

•     Windows Gather Wireless BSS Info

•     Windows Gather Wireless Current Connection Info

•     Windows Disconnect Wireless Connection

•     Windows Gather Wireless Profile

For additional information click Here. To Download Metasploit version 4.2.0 for windows & Linux click Here.

 -Source (rapid7)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Metasploit 4.2.0 Released With IPv6 Support & Virtualization Target Coverage"https://www.voiceofgreyhat.com/2012/02/metasploit-420-released-with-ipv6.html</a>